Social Engineering Assessment (SocEng)

Just about every major security breach that has been featured in the news over the past decade has involved a social engineering component. Social engineering is typically the piece that gives attackers a foothold within the organization from where they can propagate their attacks to gain real access to sensitive information. Beyond just phishing, our Social Engineering Exercise (Soc Eng) targets the human element through multiple attack vectors to test employee awareness of potential security threats. During the Social Engineering Assessment we simulate phishing, planted media, pretext calling, social networking, and optionally, tailgating, to test exposure to social engineering.

Our social engineering exercise is an attempt to establish false confidence with employees at the company to manipulate them into unwittingly divulging sensitive information, such as account information or other information that could be used to compromise security. In performing this exercise we use a combination of techniques, including pretexting, phishing and baiting. Social engineering tests an organization's awareness of security threats and compliance requirements concerning disclosure of information and incident handling policies and procedures. The results of the test are catalogued in a comprehensive report. This exercise serves a number of purposes beyond assessing the organization's susceptibility to social engineering:

  • It also raises overall user awareness to these types of threats. As internal dialogue spreads about attempted social engineering attacks, other users become more cautious regarding inbound communications and requests.
  • The report itself can be used for training purposes.

Furthermore, clients may seek to engage Illumant for personnel training following the social engineering exercise, as well as subsequent re-testing.


  • Social engineering
  • Simulated attacks
  • Phishing
  • Planted media (mail, USB-drops, etc.)
  • Pretext calling
  • Social networking
  • Tailgating (optional)
  • Security awareness
  • Comparison to baseline of similar organizations


  • Employees
  • Users
  • Managers
  • Departments (HR, finance, administration, customer service/support, engineering, …)
  • Knowledgeability about security
  • Awareness of security threats

social engineering simulated attacks phishing pretext calling social networking

employees users security awareness awareness training

PCI HIPAA best-practices