Phishing Assessment
74% of data breaches start with an attacker sending a phish email to compromise one or more of your systems (source, 2018 Verizon Data Breach Report). Therefore, it is imperative to understand how your defenses measure up to this common and probable attack. Unlike other forms of attack, phishing requires an attacker to both exploit the user (ex. social engineering) and bypass security controls (ex. email filtering) to be successful.
Our Phishing Assessments
PEN Consultants offers Phishing Testing for your organization as part of the Red Teaming Service and Social Engineering Assessment, but we also offer it as a focused and stand-alone service, as seen below.
Our semi-automated phishing assessment service provides much more than the typical phish simulation offered by other providers. PEN Consultants, like others, mimics the latest phishing themes and techniques used by attackers to gauge your user’s ability to distinguish between legitimate and varying sophistication levels of phish. But, we don’t stop there. We also include malicious payloads and links to our attacker platforms to see if your technical controls mitigate the risks. If we are successful at both, we take it yet another step further and enumerate the systems/data the compromised user(s) have access to.
By executing all three steps, PEN Consultants is able to demonstrate actual likelihood, impact, and unique risks to our Client. This far surpasses the value of simulation testing performed by most providers.
To keep costs low, this is a semi-automated service in which you will provide a list of email addresses, names, and titles for us to target along with technical details of your endpoints and security stack. By eliminating the majority of the recon and testing phases, as compared with a full scope social engineering assessment or red team engagement, and automating the phish deliveries themselves, we can keep expenses substantially lower while maintaining the ability to accurately gauge your risk and the impact of various forms of phishing attacks.
Our semi-automated phishing assessment service provides much more than the typical phish simulation offered by other providers. PEN Consultants, like others, mimics the latest phishing themes and techniques used by attackers to gauge your user’s ability to distinguish between legitimate and varying sophistication levels of phish. But, we don’t stop there. We also include malicious payloads and links to our attacker platforms to see if your technical controls mitigate the risks. If we are successful at both, we take it yet another step further and enumerate the systems/data the compromised user(s) have access to.
By executing all three steps, PEN Consultants is able to demonstrate actual likelihood, impact, and unique risks to our Client. This far surpasses the value of simulation testing performed by most providers.
To keep costs low, this is a semi-automated service in which you will provide a list of email addresses, names, and titles for us to target along with technical details of your endpoints and security stack. By eliminating the majority of the recon and testing phases, as compared with a full scope social engineering assessment or red team engagement, and automating the phish deliveries themselves, we can keep expenses substantially lower while maintaining the ability to accurately gauge your risk and the impact of various forms of phishing attacks.
View our Sample Findings and Recommendations Report to see the level of detail PEN Consultants provides in our report.
Sample Pricing
- Small: No dedicated SOC, minimal technical controls, <250 targets
- Single Campaign: $2,750
- Three Campaigns: $7,500
- Medium: Basic out-of-the-box security controls, basic security staff, <1,000 targets
- Single Campaign: $4,250
- Three Campaigns: $11,500
- Large: Multi-layered, out-of-the-box security controls, SOC, <5,000 targets
- Single Campaign: $6,000
- Three Campaigns: $16,250
- xLarge: Custom security controls, advanced SOC, >5,000 targets
- Varies
Add-On Services
In order to keep our testing prices low, we’ve removed certain services that not every client requests. Under our Cybersecurity Unlimited Retainer (included with all of our contracts) you can add on the following services as needed. Please reference the Cybersecurity Unlimited Retainer page for pricing details.
Post-Testing Briefings
Executive Level and/or Technical Level
Micro: ~1.5 hours, Small: ~2 hours, Medium: ~2.5 hours, Large: ~3 hours, xLarge: 3+ hours
Remediation Testing
Micro: ~2.5 hours, Small: ~3 hours, Medium: ~3.5 hours, Large: ~4 hours, xLarge: 4+ hours
Assist Technical Support Staff with Mitigations
Hours vary depending on your needs
Assist SOC Staff in Building Detections
Hours vary depending on your needs
On-Site Supplemental Testing and/or Visits
See Cybersecurity Unlimited Retainer page for pricing details
DISCLAIMER: Sample pricing listed is not actual pricing. These dollar amounts are estimates based on the number of hours required for engagements of similar size and assumes white box testing and at least a 60-day lead time. They are provided to give you a ballpark idea of the cost for the service. The total cost will be based on the estimated number of hours needed to perform the requested service and our hourly rate. Black box testing, specific complexities, and other non-standard situations will increase costs. Additionally, sample pricing does not include travel or other non-standard expenses (specialized equipment, materials, etc.). Final pricing is determined during the no-obligation scoping phase (before testing starts).