Get in touch

Phishing & social engineering testing

We design phishing campaigns around your actual organization — your people, processes, and tools — to measure how your team responds to a realistic targeted attack, not a generic template they’d spot in a second.

Get in touch

Trusted by

Sound familiar?

Unknown exposure

You have no real number on how your team responds.

Training was done, posters went up — but you’ve never measured what happens when a convincing, tailored message actually lands. You’re guessing at your biggest risk.

Generic ≠ realistic

Your last phishing test was too obvious to mean anything.

A mass "update your password" email everyone ignored proves nothing. Real attackers research your company first — a test that doesn’t isn’t testing the threat you actually face.

Post-incident

Someone clicked, and now leadership wants answers.

A real phishing email got through. You need to understand how it succeeded, who’s exposed, and whether the next one will land too — backed by an independent assessment, not internal guesswork.

Compliance

An audit or framework requires a social-engineering test.

SOC 2, ISO 27001, or a sector regulator now expects evidence of phishing resilience testing. You need a documented, independent campaign and report that satisfies the requirement.

Customer requirement

A customer wants proof your people can’t be phished into their data.

As their vendor, you hold access to their environment or data. Their security team wants evidence your staff resists targeted phishing — before they’ll trust you with it.

Response, not just clicks

You don’t know if your team would report an attack.

Clicking is half the picture. The question that matters is whether someone raises the alarm fast enough for your SOC to react — and you’ve never put that to the test.

The cost of inaction

68%

of breaches involve a human element — phishing remains the most common way into an organization, across every industry and size.

Under 60 sec

is the median time for a user to click a phishing link and hand over credentials once a convincing, well-timed message lands.

1 reply

is enough. It takes one person, one tailored message, one credential — and the strength of your firewalls stops mattering.

What you should test

Targeted campaigns built around how your people actually work — to measure both who falls for it and who reports it.

Targeted spear-phishing

Messages crafted for specific individuals or teams using real context — names, tools, projects, and timing an attacker would research — to test resilience against a believable, personalized attack.

Business-pretext scenarios

Full scenarios mirroring your actual processes (an invoice approval, an IT migration, an HR or vendor request) to test whether a plausible business story bypasses suspicion.

Techniques & vectors

  • Credential harvesting (fake login)
  • Spoofed / lookalike domains
  • Display-name spoofing
  • Malicious attachment
  • Malicious link
  • Fake document-share / portal
  • OAuth consent phishing
  • MFA-fatigue / push bombing
  • MFA interception (relay)
  • Brand impersonation
  • Internal-sender impersonation
  • Executive / CEO impersonation
  • Vendor / supplier impersonation
  • IT / helpdesk pretext
  • HR / payroll pretext
  • Invoice / payment pretext
  • Calendar & meeting-invite lures
  • Urgency & authority pressure
  • Reply-chain hijack style
  • QR-code phishing (quishing)
  • Account-verification lures
  • Password-reset lures
  • Conditional / staged payloads

Who & what we target

  • Executives & leadership
  • Finance / accounts payable
  • HR & payroll
  • IT & helpdesk staff
  • Engineering / developers
  • Sales & customer-facing teams
  • Procurement / vendor managers
  • New hires
  • Privileged-access holders
  • Admin & support accounts
  • Shared / role mailboxes
  • Specific departments by risk
  • Email gateway & filtering
  • Detection of malicious links/attachments
  • Credential-entry behavior
  • MFA-approval behavior
  • Incident reporting & escalation path
  • SOC / monitoring response time
  • Security-awareness effectiveness
  • End-to-end response workflow

What manual actually means

Most phishing tests stop at a click rate. We treat that as the starting point.

Example: Credential Harvesting

Level 1 — Surface

Generic blast

Typical result for off-the-shelf phishing tools

A generic phishing tool sends a templated "reset your password" email to everyone and counts who clicks.

Level 2 — Standard

Standard test

Typical result for most phishing-test vendors

A standard test stands up a believable login page and captures the credentials of users who submit, then reports a click/submit rate — and stops there, never using what it captured.

Level 3 — Deep

Targeted chain & impact

Typical result for XRAY CyberSecurity

Research your people and tooling, craft a spear-phish impersonating a system your finance or IT team actually uses, capture credentials, relay them to defeat MFA in real time, access the mailbox or SSO, pivot toward internal systems — and demonstrate the full path from one email to real access, plus whether anyone detected or reported it.

Example: Business Pretext (Vendor / Invoice)

Level 1 — Surface

Generic blast

Typical result for off-the-shelf phishing tools

A generic campaign sends a one-size-fits-all "invoice attached" lure to a broad list.

Level 2 — Standard

Standard test

Typical result for most phishing-test vendors

A standard test gets a few recipients to open the attachment or reply to prove the lure lands, logs the numbers — and stops before any real action follows.

Level 3 — Deep

Targeted chain & impact

Typical result for XRAY CyberSecurity

Build a pretext around a real vendor, project, and person, time it to your actual processes, engage finance in a believable thread, drive them toward a fraudulent payment or data handover, and demonstrate the business impact step by step — while measuring how fast your team and SOC catch it.

Custom chains

Every organisation has its own way in

Yours is built from your people, processes, tooling, and the context an attacker can research about you.

Sometimes the pretext succeeds end to end. Sometimes an alert employee or control breaks it midway — and we report exactly where, and why.

Either way: you see what an attacker actually sees.

Not sure how your team would handle a targeted attack? Let’s find out — safely.

A senior pentester (not a sales rep) will get back to you with an honest read on what would actually be worth testing.

Get in touch Book a call
Case studies

From real engagements

A few engagements that show what working with us looks like — at scale, over years, across industries.

Manufacturing · FMCG

Multiple penetration testing engagements for a global food & beverage company in 120+ markets.

Blackbox and Greybox testing across multiple IT services — guaranteeing high protection for consumers, employees, contractors and shareholders while satisfying group-level compliance controls.

Read case study
B2B SaaS · LMS

Comprehensive web application pentest backing ISO 27001 certification for a corporate LMS platform.

Blackbox & Graybox testing aligned with OWASP — followed by remediation re-test and a final report that validated security posture for the ISO 27001 audit.

Read case study
View all case studies

What you'll receive

Five deliverables — built for the people who'll actually use them: your engineers, your C-level, your auditors, and your insurers.

Sample of XRAY Cybersecurity deliverables: Technical Report, Executive Summary, Retest Report, with Security Certificate on top

Want to see what these actually look like?

Get a sample report

Real structure, real findings, real format. The same documents your team and your auditors will see.

Interim Urgent Report

When we find Critical, you find out today.

If we discover a Critical-severity vulnerability mid-engagement that needs immediate attention, you get an alert with reproduction steps and recommended actions. We keep testing, you start remediating in parallel. No waiting until the final report.

For Your engineering team, your CTO

Technical Report

Prioritized findings your engineers can act on the same day.

Every vulnerability with reproduction steps, proof-of-concept exploitation, business impact, and a prioritized remediation roadmap. No false-positives. No filler. Built so your developers know exactly what to fix and in what order.

For Your engineers, your CTO, your security team

Executive Summary

What the board and investors actually need to know.

A business-language report covering the security posture of your perimeter, the risks identified, their potential business impact, and the path to remediation. Written for CEOs, boards, investors, and Enterprise procurement teams — not engineers.

For Your CEO, your board, investors, M&A counterparties, and your customers

Retest Report

Verified evidence that the fixes actually work.

After your team remediates the findings, we re-test each one and confirm the fixes hold under the same exploitation attempts. The updated report is your proof that the vulnerabilities are actually closed — not just patched on paper.

For Your auditors, your Enterprise customers

Security Certificate

A public-facing artifact you can share with customers and prospects.

After remediation and retest, we issue an official certificate confirming your external perimeter passed deep manual penetration testing. Use it on your website, in security questionnaires, in Enterprise sales conversations — the artifact your prospects and procurement teams want to see.

For Your sales team, your marketing, your Enterprise prospects

How we deliver on your goals

Industry-standard methodologies, executed by senior engineers.

Standards

Methodologies we follow

  • OWASP
  • PTES
  • NIST SP 800-115
  • MITRE ATT&CK

Compliance pentest requirements we satisfy

  • SOC 2
  • ISO 27001
  • GDPR
  • HIPAA
  • PCI DSS

The principles behind it

Manual hacking

Scanners run only as a baseline. Every finding is hand-built and verified by a senior engineer — exploited and chained manually, with your perimeter's context in mind.

Cyclical, not linear

Each finding feeds the next. New access reveals new attack surface. We loop back, dig deeper, and chain — until we reach the deepest impact your architecture allows.

Business impact, not a bug list

A list of CVEs doesn't tell you what an attacker would actually do to your business. We translate every finding into a real-world scenario — what gets compromised, who loses what, and how the chain unfolds.

Senior engineers only

No juniors learning on your environment, no outsourced backfill, no swapping engineers mid-engagement. Every engagement is run by senior offensive engineers with deep external infrastructure and adversary-simulation experience.

Quality over speed

We're not a conveyor optimizing for throughput. We take fewer engagements at a time and go deep on each — that's the trade-off.

Do no harm

All testing happens under signed Rules of Engagement. High-risk actions on production are coordinated with you in advance. Critical findings trigger an immediate alert — no surprises, no broken environments.

Actionable findings, zero false-positives

Every finding is verified, prioritized, and documented with reproduction steps and remediation guidance. Your engineers know exactly what to fix first — and they don't waste a day on noise.

Engineer-to-engineer communication

Direct access to our engineers throughout the engagement. No sales translators, no project managers gatekeeping technical detail.

Hacking as a craft

We hire engineers who hack on their own time — for research, for CTFs, for the love of the craft. Our team treats every engagement as a challenge to solve, not a ticket to close.

From your first message to your final certificate

A structured engagement built around your team — with senior engineers, direct communication, and zero surprises.

  1. First conversation

    What happens
    • You reach out — by call, form, or email, whichever you prefer
    • A senior engineer (not a sales rep) gets back to you
    • We define your goals and scope of the engagement together
    • We give you an honest read on whether we're the right fit, and what would actually be worth testing
    You receive A clear answer on direction — and whether we're a match — before anything is signed.

  2. Scoping & proposal

    What happens
    • A technical session with your team to understand your perimeter, your asset inventory, and your high-value targets
    • We walk you through a sample report so you know exactly what the deliverables look like
    • You get a detailed proposal: scope, approach, timeline, price
    You receive A full proposal and a sample report you can review with your CTO, CISO, CEO, and procurement before deciding.

  3. Kick-off

    What happens
    • Contract and NDA signed
    • Rules of Engagement signed — clear boundaries on what we test, when, and how
    • Access provisioning and documentation handoff
    • A senior engineering team is assigned to your engagement and briefed
    You receive Signed engagement contract, Rules of Engagement document, kickoff meeting summary.

  4. Reconnaissance & threat modeling

    What happens
    • Passive intelligence gathering on your public surface
    • Perimeter mapping — what is exposed, where the highest-risk surfaces are, and what was forgotten
    • Threat model: what's worth attacking, and how an external adversary would actually approach your perimeter
    • A direct engineer-to-engineer communication channel is set up for the duration of the engagement
    You receive Anything urgent that surfaces during this stage is flagged to you immediately. Otherwise, this stage feeds directly into the testing that follows.

  5. Active exploitation

    What happens
    • Manual hacking, vulnerability discovery, exploitation
    • Attack chain construction across multiple findings
    • Impact assessment for every finding before any aggressive exploitation on live systems
    • Continuous loop: each new access reveals new attack surface, and we go deeper
    You receive If we find a critical attack path that is easy to exploit and demands immediate action, you get an Interim Urgent Report — an alert with reproduction steps and recommended response. We keep testing, you start remediating in parallel.

  6. Primary report delivery

    What happens
    • Findings consolidated, verified, and documented
    • Technical Report and Executive Summary written
    • Remediation roadmap prioritized
    You receive A Technical Report (for your engineers) and an Executive Summary (for your board, Enterprise customers, and auditors).

  7. Debrief call

    What happens
    • Walkthrough of findings with your engineering team
    • Walkthrough of business impact with your leadership
    • Q&A on remediation priorities — what to fix first and why
    You receive A prioritized remediation roadmap and direct answers to your team's questions.

  8. Remediation support

    What happens
    • Support for your developers throughout the fix cycle
    • Clarification on attack vectors and remediation approaches
    • Pace depends on your team — we don't push and we don't drag
    You receive Technical guidance throughout remediation, scoped to your engagement.

  9. Retest & final certificate

    What happens
    • Each remediated finding is re-tested against the original exploitation
    • Verification that the fix holds — not just patched on paper
    • Updated reports and security certificate issued
    You receive A Retest Report, an updated Technical Report, and your Security Certificate.

Recognized by the industry

Top-rated on industry platforms

  • Top Clutch — Application Security Company 2026
  • Clutch Fall Champion 2025
  • Top Clutch — Penetration Testing 2026
  • Top Penetration Testing 2024 Award

Our engineers hold certifications including

  • OSCP+
  • CRTL
  • BSCP
  • OSEP
  • CEH
  • PNPT

In their own words

Enterprise · 3rd-Party Audit
XRAY CyberSecurity delivered a comprehensive, well-structured report with practical recommendations tailored to strengthening our application security. We received two reports — a detailed Technical and a separate Executive — which allowed us to quickly present results to leadership and build an action plan. Their readiness to communicate directly with our vendors significantly accelerated remediation.
Iryna Grynchii Cybersecurity Manager · Danone Full review on Clutch →
SaaS · Email Platform
XRAY CyberSecurity provided penetration testing for our products built on different technologies. We were able to discover vulnerabilities, fix them, and receive confirmation through retesting that they were mitigated. Communicating with their team felt more like working with coworkers than an external vendor — they were professional, knowledgeable, and gave us valuable advice.
Oleg Bida Information Security Manager Full review on Clutch →
SaaS · LMS Platform
XRAY CyberSecurity conducted gray-box penetration testing following OWASP methodologies. Their thorough manual analysis identified vulnerabilities worth attention, and their detailed technical and executive reports — followed by a retest validating our remediation — allowed us to proceed with ISO 27001 certification.
Alex Slubskyi CTO · Davintoo Full review on Clutch →
SaaS · Logistics Platform
XRAY CyberSecurity conducted thorough assessments across our web applications and cloud environments, simulating real-world attack scenarios. Their detailed reports provided clear, actionable insights that significantly improved our security posture, and their ability to communicate complex findings in an understandable way was invaluable to our team.
Taras Komenda CEO · MINT Innovations Full review on LinkedIn →
Application
The work was done quickly and professionally. XRAY CyberSecurity's specialists highlighted our vulnerable points, enabling us to improve our software quality. We received a report with detailed penetration scenarios and both technical and organizational recommendations for remediation and prevention.
Oleg Khavruk IT Director · Nash Format Full review on Forbes →
5/5 on Clutch read all reviews

Ready to see how your team really responds?

Get in touch Book a call

Frequently asked questions

How is this different from a generic phishing-simulation tool?

Off-the-shelf tools send templated emails at scale; a real attacker researches your company first. We build campaigns around your actual people, tools, and processes — the way a motivated adversary would — so the result reflects the threat you face, not a test anyone could spot.

Do you do vishing, USB drops, or physical social engineering?

No — this engagement is phishing only, by design. We focus on doing targeted email-based social engineering properly rather than spreading across vectors. If you need broader red-team scope, that’s a separate conversation.

Will this embarrass or punish our employees?

No. The goal is measuring organizational resilience, not naming and shaming. Results are reported as aggregate metrics and patterns; individual data is handled sensitively and per what we agree up front. The output is a stronger team, not a blame list.

How do you handle confidentiality, our data, and legal accountability?

Signed NDA and a contract with full corporate liability, plus written authorization for the campaign before anything is sent. Any credentials or data captured during testing are stored encrypted, restricted to the assigned engineers, and deleted after the engagement per your contract. We carry professional indemnity insurance.

Do we tell our staff in advance?

Usually not the targets — advance warning defeats the test. But we always coordinate with a small, agreed group on your side (and, if relevant, your SOC) so the engagement is authorized and controlled. You decide who’s in the know before we start.

What exactly do you measure?

More than click rate. We measure who clicked, who entered credentials, who approved an MFA prompt — and critically, who reported it and how fast your team and SOC responded. Reporting and response are as important as the click, and we report on both.

What if no one falls for it?

That’s a strong result — and a meaningful one. You still receive full deliverables documenting the campaigns run, the pretexts used, the targets, and the response metrics — evidence of resilience your auditors and customers will accept.

How much effort does this require from our team?

Setup is front-loaded — agreeing scope, targets, pretexts, and authorization at kickoff. During the campaign your involvement is minimal beyond the coordinating group. After delivery, the value comes from acting on the findings, which we support with clear, prioritized guidance.

Is a retest or follow-up included, and are there hidden fees?

The proposal price is fixed and in the contract against agreed scope. A follow-up campaign to measure improvement after awareness work can be included or scoped explicitly — agreed up front, not billed as a surprise. The only thing that changes the price is you expanding scope, agreed in writing first.

Let's talk.

Tell us about the task you're looking to solve.

Or book a 20-min call directly