Identify the vulnerabilities that open your business up to cyber threats.

Prioritise your cyber security response and budget according to the weaknesses you have and how easily they could be exploited by attackers.

What is an Social Engineering Vulnerability Assessment (SEVA)?

Vulnerabilities are defects that require some sort of remedial action.  Once a vulnerability is discovered it is only a matter of time before attackers can take advantage of it.  The Social Engineering Vulnerability Assessment (SEVA) looks at your organisation’s online footprint and human security, looking for vulnerabilities that could be exploited in a social engineering attack.  We explain in plain English  what information we have found, how an attacker could use it against you and what you need to do to eliminate or minimise the risk.

A Social Engineering Vulnerability Assessment is not as offensive and involved as a full Social Engineering Penetration test.  It is therefore perfect for organisations wishing to identify and remedy potential vulnerabilities but do not wish to have a thorough test of their exposure to social engineering , or who wish to conduct enhanced assessments between penetration tests.

Why have a Social Engineering Vulnerability Assessment?

The ICO recently issued a large fine to the Carphone Warehouse citing “inadequate vulnerability testing & penetration testing” as one justification for the fine.

Social engineering is one of the biggest threats to company security at the moment and the SEVA includes 2 of the most prolific social engineering attack vectors.

GDPR requires you to provide evidence of your commitment to security such as our final report.

Your clients are becoming increasingly aware of cyber security and are impressed by companies that engage in external testing.

It helps you identify where to spend your security budget so you don’t waste money.

The Process

Pre-engagement meeting

The scope of the test is discussed & agreed.  Terms of testing are drawn up & signed.  You have an opportunity to design the social engineering parts of the test.

Threat Modelling

We gather intelligence on your organisation & staff to help us develop our attack vectors.


We test your staff and online presence and formulate a detailed report.

Report and debrief

We write up the report & then present it to you as part of a full debrief.  We make recommendations to improve your security.

Testing elements

Open Source Intelligence

What can we find out about you and your staff online? How would an attacker use this? Is your online footprint too large?

We collect & analyse Open Source Intelligence (OSINT) to mount a convincing attack.

Some of the sources we look at include:

• Corporate website & job adverts

• Document & photo metadata

• Reverse image searches

• Email addresses & enumeration

• Social media, blogs, vlogs

• planning office data

• Geolocation data


Phishing (option)

Email attacks can be easy to spot or sophisticated & targeted. Email is the biggest attack vector being used. Can your staff spot them?

We test employees against 2 levels of phishing attack (an easy one with lots of clues & mistakes & a harder to spot spear phishing attack). This tells us what level of security awareness your staff have.

You can decide whether to use links, attachments or the input of login credentials for the test.

We work with your I.T team to measure the click rate and the reporting rate coming back from your staff. Both are used to calculate the final score for this part of the test.

Vishing (option)

Phone call attack to gather intelligence for another attack. Would your staff hand over valuable information over the phone?

Usually employed by attackers as a reconnaissance tool to gather sensitive information about your organisation before an attack is launched.

A log of the call is made and included in the final report.

Vishing can help test how well your staff follow policies & procedures.

Why choose us?

Subject matter experts speaking at events around the world on cyber security & social engineering.

We specialise in producing high quality reports that translate complicated technical concepts for a non-technical audience to understand.