PhishingSimulation
Most phishing emails that reach your employees are never reported. Our CREST-accredited analysts run realistic phishing simulation campaigns (spear phishing, credential harvesting, CEO fraud) then turn every click into a teachable moment. Managed end-to-end, from campaign design to quarterly reporting. From £3,750.
Why Your Organisation Needs a Phishing Simulation Programme
Phishing remains the primary delivery mechanism for ransomware and data breaches. Your employees are the last layer of defence, and simulated phishing attacks are the only way to measure and improve that layer.
Average Phish-Prone Rate
Average UK organisation starting phish-prone percentage before any simulation programme begins.
Phishing as Breach Vector
Of all cyber attacks begin with a phishing email. The single most common initial access technique for ransomware and data theft.
Post-Programme Rate
Average phish-prone percentage after 12 months of managed simulation with quarterly review cycles.
Controls
Measurable Behaviour Change, Not Theoretical Knowledge
The difference between passive e-learning and a managed phishing simulation programme, measured across 12 months of continuous testing.
No Managed Programme
Managed Simulation Programme
Phishing Simulation Methodology:
Analyst-Led, Not Algorithm-Generated
Every campaign is designed by a CREST-accredited security analyst, not generated by a platform algorithm. We expose your employees to safe, realistic threats grounded in current attacker techniques to build genuine threat recognition and measurable behaviour change.
Spear Phishing Simulation
Our analysts conduct OSINT reconnaissance before designing campaign scenarios, using the same publicly available information (LinkedIn profiles, Companies House filings, company news) that real attackers exploit. The result is a spear phishing simulation that reflects genuine threat actor behaviour, not a generic template.
Credential Harvesting
We clone realistic login pages (Microsoft 365, Google Workspace, VPN portals) to simulate credential harvesting attacks. When a user submits credentials, we record the event (not the password), redirect them to a teachable moment, and flag the account in the campaign report.
Attachment Payload Testing
Safe simulation of malicious attachments (Word macros, PDFs, HTML smuggling) to test whether users open them and whether your endpoint defences (EDR/Antivirus) detect the intrusion attempt.
CEO Fraud & BEC Simulation
Business Email Compromise scenarios targeting finance approvers, executive assistants, and HR. We test whether your verification procedures hold under impersonation pressure from spoofed C-suite emails requesting urgent wire transfers, payroll changes, or data exports.
Teachable Moments
When a user fails a test, they are immediately presented with a teachable moment: a clear, educational landing page explaining what they missed and how to identify the real threat next time. This in-context learning drives measurable behaviour change, not theoretical knowledge that is forgotten within hours.
Campaign Reporting & Metrics
Every campaign produces a structured report covering open rates, click rates, and compromise rates. Quarterly trend analysis tracks phish-prone % reduction over your programme lifecycle. Reports are formatted for board presentation and auditor submission.
Phishing Awareness Training for Compliance
Every phishing simulation campaign produces audit-grade evidence of staff awareness training. Our reports map directly to the specific framework clauses your auditor, insurer, or regulator requires.
Cyber Essentials
Documented phishing simulation programme with measurable improvement satisfies the user awareness requirement
ISO 27001:2022
Information security awareness, education, and training: simulation-based evidence of ongoing staff awareness training
ISO 27001:2022
Protection against malware: tests real-world effectiveness of human controls under social manipulation
GDPR
Appropriate technical and organisational measures: documented awareness programme demonstrates accountability
PCI DSS v4.0
Security awareness programme: provides testing evidence required for Qualified Security Assessor review
Cyber Insurance
Many UK cyber insurance policies now require evidence of an active phishing awareness training programme
Globally Accredited Consultants
All campaigns are designed and reviewed by CREST-accredited analysts.
How a Phishing Simulation Programme Works
From baseline to culture change. A managed service to reduce your phish-prone percentage.
Reconnaissance
We profile your organisation using open-source intelligence: email naming conventions, public-facing staff, LinkedIn roles, and technology footprint. The output shapes realistic, targeted pretext scenarios.
Infrastructure & Landing Page Creation
We register lookalike domains, configure SPF/DKIM to bypass spam filters, and build credential-harvesting landing pages engineered to capture logins even where MFA is enforced, using adversary-in-the-middle (AiTM) proxy techniques.
Delivery
Phishing emails are deployed to your target population. Allow-list configuration ensures delivery to the inbox rather than spam, reflecting real attacker conditions. Clicks, credential submissions, and MFA token captures are tracked in real time.
Reporting
A structured report details click rates, compromise rates, credential and MFA token submissions, and a teachable moment walkthrough for each scenario. Findings are formatted for board presentation, auditor submission, and the next campaign cycle.
First Campaign Live Within 5 Business Days
From scoping call to live phishing simulation in under a week. No hardware, no software deployment, no internal technical effort.
Scoping & Brief
30-minute scoping call to agree target groups, campaign timing, and scenario types.
Configuration
Domain registration, infrastructure setup, credential-harvesting page creation, and campaign scheduling. No internal effort required.
Campaign Live
First phishing simulation emails delivered to employee inboxes. Results are viewable in real time via our penetration testing portal as findings are recorded.
What You Get
Every phishing simulation programme includes the following deliverables, formatted for both technical teams and non-technical board-level stakeholders.
Reports are available via our interactive penetration testing portal.
Close the Loop.
Beyond the Click.
Phishing simulation measures the human layer. Pair it with our 24/7 Managed SOC and full social engineering testing to close the gap between awareness training and real-world attack resilience.
Explore Social Engineering TestingSocial Engineering Testing
Full-scope vishing, physical intrusion, and pretexting beyond email-only simulation.
Managed Detection & Response
24/7 SOC monitoring to detect when a real phishing attack bypasses your human layer.
Microsoft 365 MDR
Detect credential compromise, mail forwarding rules, and OAuth consent grants in real time.
Red Team Operations
Combine phishing with red team to test full attack chain from initial access to objective.
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
The best time to test your defences is now.
Join the high-growth companies relying on Precursor for continuous offensive and defensive security.
Frequently Asked Questions
Common questions about this service, methodologies, and deliverables.
Precursor Security's managed phishing simulation starts from £3,750 for a baseline campaign. Ongoing 12-month programmes with quarterly campaigns and review meetings are scoped based on organisation size and campaign complexity. Most mid-market engagements fall between £3,750 and £8,000 per year. Pricing is transparent: we provide a fixed-fee proposal after a 30-minute scoping call.
Yes. Simulation-based training is widely recognised as the most effective form of phishing awareness training because it creates a real-world learning moment rather than a passive watching experience. Regulatory frameworks including Cyber Essentials, ISO 27001 (Annex A.6.3), and GDPR's accountability principle accept simulation programmes as evidence of staff awareness training when paired with documented results and teachable moment delivery. Precursor provides quarterly reports suitable for submission to auditors and insurers.
Running a phishing test for employees through Precursor involves four steps: (1) a scoping call to agree target groups, campaign timing, and scenario types; (2) infrastructure setup, where we build lookalike domains and landing pages using the latest techniques to bypass spam filters and reach inboxes without requiring allow-list changes; (3) campaign execution, where we send the emails, host the credential-harvesting pages, and record click and submission events; (4) a detailed report showing open rates, click rates, and compromise rates, available via our penetration testing portal.
Phishing is the primary delivery method for ransomware and data breaches. Technical controls (spam filters) miss 10-15% of attacks. Your employees are the last layer of defence. Training them to spot the threat with realistic, repeatable simulations is the only way to measure and improve that layer.
Standard phishing simulation sends realistic but broadly applicable email templates to all staff, the equivalent of a mass-market attack. Spear phishing simulation goes further: our analysts conduct OSINT reconnaissance on specific individuals (typically C-suite, finance approvers, and IT administrators), craft bespoke pretexting scenarios using publicly available information, and deliver targeted attacks designed to compromise high-value accounts. Spear phishing simulation is recommended for organisations with existing simulation programmes who want to test their most critical personnel against advanced, targeted threats.
Yes. We build campaign infrastructure using the latest techniques to bypass email filters without requiring allow-list changes on your side. This ensures we are testing the user, not the spam filter, and it reflects how a real attacker operating from an aged, reputable-looking domain would approach your organisation.
Phishing awareness training is a structured programme that helps employees recognise and respond correctly to phishing emails. Unlike traditional security awareness training delivered via videos or quizzes, phishing awareness training uses simulated phishing attacks to create genuine learning moments in context. When an employee clicks a simulated phishing link, they are immediately shown a teachable moment explaining what they missed and how to identify the real threat. This approach produces measurable behaviour change, tracked via phish-prone percentage, rather than theoretical knowledge that is quickly forgotten.
We have a library of templates, but we customise every campaign. Real attackers use context (LinkedIn profiles, Companies House filings, company news), so we do too. A targeted simulation is far more effective than a generic template, and it reflects the standard of threat your organisation actually faces.
No. Our approach is educational, not punitive. The teachable moment is designed to be helpful and constructive. We recommend against naming and shaming users who click. The goal is to build a culture of reporting, not fear. Quarterly trend data is presented at an organisational and department level, not by individual name.
We recommend monthly simulations. Cyber threats change rapidly, and infrequent testing leads to skill decay. Regular, short simulations keep security top-of-mind without disrupting productivity. Organisations that run quarterly campaigns see phish-prone percentage plateau; monthly cadence drives continued improvement.