91% of attacks start with a phishing email.
Controlled, evidence-based phishing simulations that expose real behavioural risk and give you the data to fix it. Departmental risk scoring delivered in 7-12 days.
Let's talk
The situation
You invest in firewalls and endpoint protection. You leave the human element untested.
The numbers
91% of cyber attacks begin with a phishing email (Deloitte, 2024).
3.4 billion phishing emails sent every single day (AAG IT, 2024).
60% of employees click phishing links without training (Proofpoint, 2024).
$4.9M average cost of a data breach caused by human error (IBM Security, 2024).
The gap
Generic annual security awareness training tells your team phishing exists. It does not tell you which departments are actually vulnerable, which individuals are highest risk, or whether your training has measurable impact.
Auditors want behavioural data. Not a certificate of completion.
What you will know
Organisational Risk Quotient: exactly how vulnerable your workforce is, by department and role.
Click rates, credential submission, and attachment execution tracked per individual.
Which departments and roles are highest risk.
Granular interaction metrics showing who engaged, at what depth, and when.
A prioritised Security Awareness Training Roadmap.
Role-specific recommendations your HR and security teams can act on immediately.
Executive Risk Dashboard with before-vs-after benchmarking.
Board-ready and audit-ready from day one.
How it works
Scoping
Define target scope, confirm employee lists, align on attack vectors and emergency contacts.
Campaign design
Spear-phishing templates, credential harvesting portals, and whaling scenarios custom-built for your organisation.
Live simulation
Controlled campaign executed across all target groups. Every interaction logged.
Reporting
Departmental risk scoring, Executive Risk Dashboard, and Remediation Training Roadmap delivered.
Scope
What is included
Simulated spear-phishing campaigns crafted per department.
Credential harvesting assessment with realistic fake portals.
Executive targeting (whaling) for Finance, HR, and C-Suite.
Behavioural depth tracking: link clicks, attachment execution, data entry.
Human Risk Intelligence Report with departmental Risk Quotient.
Click-rate and interaction metrics per individual.
Prioritised Remediation Training Roadmap.
Executive Risk Dashboard for board reporting.
What is not included
Security awareness training delivery (roadmap provided, not execution).
Technical penetration testing (see Web App Penetration Test).
Ongoing monitoring (see Managed Vulnerability Assessment).
Social engineering beyond email (physical, phone, SMS).
Who does the work
Gradion Cybersecurity Practice
Delivered by specialist Red Team (offensive) and Blue Team (defensive) practitioners. Senior security engineers with production experience in regulated industries.
CrowdStrike partnership for CSPM, FEM, and endpoint security tooling.
Why Gradion
Crafted per client, not off-the-shelf
Every phishing template, credential portal, and whaling scenario custom-built for your industry, tooling stack, and employee profile. No recycled generic campaigns.
Behavioural intelligence, not just click rates
We go beyond pass/fail. Reports reveal who clicked, when, why, and at what depth. Actionable human-risk intelligence, not statistics.
Audit-ready evidence
Executive Risk Dashboard and Remediation Training Roadmap accepted as evidence for NIS2, ISO 27001, SOC 2, and board-level reporting.
Phishing Simulation Campaign
Fixed price. No surprises.
Standard
Full phishing simulation campaign. Custom templates. 7-12 days.
- Custom spear-phishing templates
- Credential harvesting assessment
- Executive targeting (whaling)
- Departmental risk scoring
- Executive Risk Dashboard
- Remediation Training Roadmap
Common questions
We already run annual security awareness training. Is this relevant?
Generic annual training does not tell you which departments are vulnerable or whether your training has impact. Our simulation gives you behavioural data, the kind of evidence your auditor actually wants to see.
Will this cause panic or damage morale?
All simulations are non-punitive and educational. When an employee clicks, they receive an immediate, supportive awareness message. Organisations that frame it correctly see engagement improve, not suffer.
We are a small team. Is this worth it?
Phishing attacks do not discriminate by company size. Smaller teams often have less redundancy to absorb a credential breach. The engagement starts from EUR 5,999 and can scope to as few as 20 employees.
How realistic are the simulations?
Very. Templates are crafted to mirror your industry, internal tools, and communication patterns. That is the point: if generic phishing catches employees, targeted attacks will too.
What comes next
Phishing simulation data feeds directly into the Security Compliance Review (EUR 9,999-12,999) as evidence for ISO 27001 and SOC 2 human security controls.
For technical coverage, pair with the Web App Penetration Test (EUR 4,999-6,999) to cover both human and application attack surfaces.
No obligation to proceed. The simulation report stands on its own.
Phishing Simulation: EUR 5,999-6,999
Fill out the form. We confirm availability and scope within 48 hours.
- No obligation. No sales pitch.
- Response within 48 hours.
- Senior practitioner on the call.