How is attack-based training different from traditional security awareness training?

Traditional training uses slideshows and quizzes. We run real attacks against your employees — phishing emails, phone pretexts, physical intrusion attempts — then debrief them on exactly what happened, why it worked, and how to recognize it next time. Experience is the best teacher.

Will employees know they're being tested?

No. Our campaigns are indistinguishable from real attacks. Employees only learn they were tested during the debrief phase. This measures genuine behavior, not test-taking ability.

What metrics do we receive?

Click rates, credential submission rates, reporting rates, response times, department-level breakdowns, and trend analysis across multiple campaigns. Every metric is actionable.

SVC::007

Security Training

We don't teach your employees with slideshows. We attack them first — then train them on exactly what they missed and why it worked.

Attack First. Train From Results.

Over 90% of successful breaches start with a human action — clicking a phishing link, giving credentials over the phone, holding a door for a stranger. Your employees are either your strongest defense or your biggest vulnerability. Generic compliance videos won't change that. Getting owned in a controlled environment will.

Our training program is built on the same social engineering campaigns and red team operations we run for offensive assessments. We execute realistic attacks against your employees, measure who falls for them, then debrief every participant with concrete evidence of what happened and how to prevent it next time.

How It Works

Phase 1: Baseline Attack — We launch realistic phishing emails, vishing calls, or physical pretexts against your organization without warning. This measures your actual exposure — not what people claim they'd do on a quiz.
Phase 2: Metrics & Analysis — Click rates, credential submission rates, who reported vs. who ignored, response times, department breakdowns. You get hard numbers on your human attack surface.
Phase 3: Debrief & Training — We walk employees through exactly what happened — the emails they clicked, the calls they answered, the doors they held open. Real examples from their own organization hit harder than any slideshow.
Phase 4: Repeat & Measure — Follow-up campaigns at regular intervals to measure improvement. We track trend lines across quarters so you can see behavior change over time, not just a single snapshot.

Training Topics

Every debrief session covers the specific attack vectors used in the campaign, plus broader cyber hygiene topics tailored to your organization's risk profile.

Phishing & Spear Phishing — How we crafted the emails, what made them convincing, red flags to look for, and how to verify legitimacy before clicking or submitting credentials.
Vishing & Phone Pretexts — Why people comply with authority over the phone, how attackers impersonate IT, vendors, and executives, and verification procedures that shut it down.
Password Hygiene & MFA — Credential reuse risks, password manager adoption, MFA enforcement, and why SMS-based 2FA isn't enough for high-value targets.
Physical Security Awareness — Tailgating, badge cloning, USB drops, pretexting at the front desk. Your facility is an attack surface too.
Incident Reporting Culture — Building a team that reports suspicious activity without fear of blame. Fast reporting is the difference between a blocked attack and a breach.
Executive Targeting — Business email compromise, wire fraud, whaling attacks. Leadership is the highest-value target and needs targeted awareness.

Combine live social engineering campaigns with training for maximum impact.

Start Training Program

What You Receive

Every training engagement delivers a metrics report documenting campaign results — click rates, credential submissions, reporting rates, response times — alongside department-level breakdowns and trend analysis. You receive recorded debrief materials your team can reference, and a recommended cadence for follow-up campaigns to maintain and measure ongoing improvement.

Intel

Training FAQ

Traditional training uses slideshows and quizzes that employees forget within a week. We run real attacks against your team — phishing emails, phone calls, physical attempts — then debrief them with evidence from their own experience. People remember getting phished. They don't remember slide 47.

No. Campaigns are indistinguishable from real attacks. Employees learn they were tested during the debrief phase. This measures genuine behavior under realistic conditions, not test-taking ability.

Our debriefs are educational, not punitive. We frame every result as a learning opportunity and emphasize that the goal is to protect the organization — and the individual. The tone is collaborative, not blame-oriented.

We recommend quarterly campaigns at minimum to build sustained awareness. Monthly campaigns produce the fastest behavior change. We help you determine the right cadence based on your organization's size, risk profile, and compliance requirements.

Initiate

Start a Training Program

Tell us your employee count, current awareness program (if any), and compliance requirements. We'll design a campaign-based training program that produces measurable behavior change.

EMAILsales@pendergrassconsulting.com

BASESelma, NC 27576

Pendergrass ConsultingFull-service IT consulting. pendergrassconsulting.com →