An adversary-grade phishing simulation that tests both your users and your security stack against the same tradecraft real attackers are using today, with AiTM credential and MFA token capture, modern email and web security evasion, and real-time campaign telemetry.
Where standard phishing exercises measure user awareness in controlled conditions, our engagements test users and security controls together under conditions that mirror an actual adversary.
Most phishing simulation services run whitelisted at your email gateway and use templated landing pages. Ours doesn't. Every campaign is engineered to land under real attack conditions using the same tradecraft real adversaries deploy today.
Pretexts crafted from research into your industry context, brand and communication patterns, recent events, language requirements, and the audience in scope. Lure content, sender selection, and visual mimicry calibrated to land against the target without breaking the suspension of disbelief that real attackers rely on.
Adversary-in-the-Middle proxy serves landing pages that are pixel-accurate replicas of legitimate identity surfaces including Microsoft 365, Okta, and custom SSO. Users interact with what appears to be the real login flow, making the test as close as possible to a real attack.
Campaigns work against accounts protected by push notifications, TOTP, and SMS or voice-call OTP, including Microsoft Authenticator, Cisco Duo, and Okta Verify. Validates whether your MFA configuration would actually stop a real attacker, not just whether users would skip an MFA prompt.
Phishing emails engineered to evade modern commercial email security solutions including Proofpoint, Microsoft Defender for Office 365, and Cisco Secure Email Gateway. Reputational filtering, content inspection, link analysis, and sandbox detonation all assessed as part of campaign delivery.
Phishing infrastructure engineered to evade commercial web security gateways and secure web service edges including Zscaler and equivalent vendors. URL filtering, reputational checks, content inspection, and TLS interception all face genuine attack conditions during campaign delivery.
Every campaign event tracked live, including emails delivered, links clicked, credentials submitted, and MFA challenges completed. Stakeholder-grade dashboards available throughout the engagement, with real-time alerts on credential submissions for incident response exercise where in scope.
Most phishing simulation services on the market today are awareness-platform deployments dressed up as security testing. Here is what changes when the campaign is built like a real attacker would build it.
Our proprietary phishing platform turns every campaign into a live exercise, giving you visibility into adversary outcomes and defence performance in real time.
Every click, credential submission, and MFA completion captured as it happens. Watch the campaign progress in real time across the entire target population, with no waiting for batch reports at the end of the engagement.
See exactly which targets clicked, which submitted credentials, and which completed MFA. Drill down to individual users and the precise timing of each interaction across the campaign window for granular analysis.
Critical events including credential submissions and MFA completions trigger immediate alerts. Supports parallel incident response exercises where the engagement is scoped to test your SOC's detection and escalation workflow.
Different views for different audiences. Operator dashboards for the campaign team during execution, plus executive-level summaries built for leadership briefings and post-campaign reporting.
Beyond the platform itself, here's what backs every campaign and every consultant on the engagement.
Our consultants bring deep offensive cybersecurity experience from top-tier global consulting firms, backed by the industry's most rigorous certifications including OSCE³, OSEP, OSCP, and HTB CAPE, plus the red team operations stack including CRTM, CRTL, CRTE, and CRTP. We bring world-class execution to every phishing engagement.
No junior bait-and-switch and no offshore hand-offs. The senior consultants who scope your engagement are the ones building infrastructure, designing pretexts, executing the campaign, and walking you through findings. You get the same expert from kickoff through closure.
Phishing simulation requires absolute trust in the firm running it against your organisation. We are proudly supported by the HKSTP Incubation Programme and the CityU HK Tech 300 Seed Fund, making us a vetted Hong Kong cybersecurity partner with institutional accountability.
We don't deliver awareness statistics dressed up as security testing. Every phishing engagement produces statistical findings, control gap analysis across email security and identity stack, and prioritised recommendations translated for both your engineers and your board.
Clients engage us when measuring user click-rates is no longer enough, when the security stack has to be exercised under real conditions, and when the outcome has to hold up to auditors, regulators, customers, and the board.
Organisations measuring whether their security awareness program is producing real behavioural change against adversary-grade phishing, not just compliance training completion.
Security teams validating whether their commercial email security gateway, web security service, and defensive tooling actually catch the kind of phishing real attackers use today.
Organisations rolling out or relying on MFA for SaaS and identity protection, validating whether the configuration would actually stop a session-stealing AiTM adversary.
Organisations subject to phishing testing expectations under HKMA C-RAF 2.0, SFC cybersecurity supervision, HKIA GL20, or sector-specific cyber resilience requirements.
Organisations re-validating defensive posture following a real phishing event, ransomware intrusion, or credential compromise.
Targeted testing of executives, finance, IT administrators, and other high-risk role groups whose compromise would have material business impact.
Every engagement is scoped collaboratively to ensure assessment objectives align with business priorities, threat profile, and regulatory context.
A structured, repeatable methodology that delivers consistent quality across every engagement, with clear entry and exit criteria at each phase and defined responsibilities on both sides.
Define target population, campaign objectives, in-scope themes and pretexts, blackout windows, prohibited content, communication and escalation protocols with your designated contacts, abort conditions, and authority to test.
Research into your industry context, brand and visual style, internal communication patterns, and where the engagement is scoped to emulate a specific named threat actor, the documented TTPs of that adversary. Pretext scenarios, lure content, and visual mimicry are designed to read as legitimate to the target audience.
Build the campaign delivery infrastructure including delivery domains, sender configuration, AiTM proxy deployment against the relevant identity platforms, payload preparation, and platform configuration for telemetry.
Live campaign delivery against the agreed audience, with real-time monitoring of clicks, credential submissions, and MFA completion events. Designated contacts have direct access to the campaign platform to view live telemetry throughout the engagement.
Detailed campaign report with executive summary, statistical findings, control gap analysis, evidence pack, and prioritised recommendations. Walk-through with technical and executive stakeholders covering what worked, what was bypassed, and how to strengthen both defensive controls and your awareness program.
Every engagement produces a comprehensive campaign report designed to serve both technical remediation and executive decision-making.
A non-technical narrative of the campaign, outcomes, business-risk implications, and strategic recommendations, written for leadership, risk, and board-level stakeholders.
Documentation of the agreed scope, target population, pretexts and themes selected, attack vectors, and methodology applied during the engagement.
Statistical analysis of emails delivered, links clicked, credentials submitted, and MFA challenges completed. Broken down by department, role, or region as relevant to the engagement scope.
What got through your email security, what got through your web security, what MFA was bypassed, and which (if any) detection events triggered. Observed efficacy of the security stack against realistic adversary tradecraft.
Captured screenshots of what targets saw, sanitised examples of intercepted credentials and MFA tokens, email delivery records, and indicators of compromise (sender domains, URL patterns, infrastructure markers) for blue-team detection rule development.
Prioritised recommendations across email security configuration, MFA hardening, web security tuning, and detection coverage. Insights for your awareness training program based on which pretexts and themes were most effective during the campaign.
Our methodology is built on internationally recognised offensive security testing standards and mapped to the regulatory regimes most relevant to Hong Kong-regulated organisations.
A traditional phishing exercise typically runs through a commercial awareness platform with the phishing infrastructure whitelisted at your email gateway and web security so the campaign always lands. The result tells you whether users would click on a phishing email under controlled conditions, but tells you very little about whether your security stack would actually catch a real attack. Our engagements operate the opposite way. We use live phishing infrastructure that is not whitelisted, AiTM proxy capability that captures credentials and MFA tokens against major identity platforms, and a real-time campaign platform that gives you live visibility into every event. The campaign tests your users and your security controls under the same conditions a real adversary would deliver them under.
Adversary-in-the-Middle (AiTM) is the current standard tradecraft for phishing against organisations using MFA. Rather than serving a static fake login page, an AiTM proxy sits between the user and the real authentication service. The user sees the actual login flow, including the genuine MFA prompt, and the campaign captures the session as it is created. AiTM phishing is what current adversaries are using to breach organisations worldwide, attributed to active threat actor campaigns such as those traced to Storm-1167 and similar groups. If your phishing testing does not exercise AiTM, you are not testing what your attackers are actually using.
Our platform is designed so that complete, usable credentials and MFA tokens are never stored. Captured artefacts are partially redacted at the point of capture, retaining only enough to evidence the capture event without preserving usable secrets. The full credentials and tokens are not preserved, are not used to authenticate against your production systems, and are not used outside the agreed engagement scope. This protects your employees and your business while providing the evidence needed to validate findings and report outcomes.
All telemetry and artefacts collected during the engagement are held in access-controlled environments, transmitted over encrypted channels, and stored only on infrastructure under our direct control. Any sensitive data inadvertently encountered is handled under strict confidentiality, captured only to the extent necessary to evidence findings, and confirmed destroyed in writing after engagement closure. Engagement artefacts including platform logs are securely destroyed after the agreed retention period.
Yes, where doing so is essential to delivering the campaign under realistic conditions. Our infrastructure is engineered to evade modern commercial email security solutions including those from major vendors such as Proofpoint, Microsoft Defender for Office 365, and Cisco Secure Email Gateway, and commercial web security gateways including major secure web service edges such as Zscaler. Each campaign is delivered against your live security stack rather than through a whitelisted route, so the engagement validates whether those controls actually catch phishing in real conditions.
In general, no. The whole point of the engagement is to test whether your security stack catches phishing under real attack conditions. Whitelisting our infrastructure would defeat the test by removing the very controls the engagement is designed to validate. The exception is when a client specifically requests an awareness-only campaign without security stack validation, which can be scoped on request and would require whitelisting at your email and web security to ensure delivery.
All engagements are led by senior offensive security consultants. We do not assign junior operators or outsource execution to third parties. Our consultants hold recognised industry certifications across red team operations and offensive security, including credentials such as CRTM, CRTL, CRTO, CRTE, CRTP, OSCE³, OSEP, OSCP, and HTB CAPE. Every campaign is reviewed by a senior lead before delivery, ensuring consistent technical depth, operational discipline, and reporting quality regardless of engagement size.
A typical phishing engagement runs around 5 business days of active campaign execution, with the exact duration depending on how long you want the campaign to run and the monitoring window required. Reporting and review typically takes an additional 3 to 5 business days. Larger engagements with multiple pretexts or extended monitoring can run longer. An accurate estimate is provided during the scoping call based on your specific engagement parameters.
Most phishing engagements kick off within 1 to 2 weeks of scoping sign-off, subject to consultant availability and the agreed campaign window. Where a regulatory deadline or board-mandated milestone requires a faster start, we will do our best to accommodate and confirm feasibility during the scoping call.
Phishing campaigns are conducted carefully and under controlled conditions to avoid disrupting business operations. Before execution, we agree on the engagement window, blackout periods, prohibited content (such as topics likely to cause undue distress), abort conditions, and operational impact thresholds. Targets receive emails as part of the campaign, but campaign delivery is calibrated to send realistic volumes rather than disruptive ones. Any operationally sensitive issue is escalated to your designated contacts in real time so the campaign can be paused, scoped down, or aborted. Where you operate a SOC, SIEM, or active monitoring tooling, we share campaign timing, the engagement window, and indicators of compromise in advance so resulting detection events can be correctly attributed and contextualised rather than triaged as live incidents.
Yes. Many engagements are scoped specifically to high-risk role groups: executives and senior leadership, finance and accounts payable, IT and security administrators, HR, or other groups whose compromise would have material business impact. Targeted scoping focuses the engagement on populations where adversaries actually concentrate their effort and where defensive controls are most worth validating.
Yes. While this page focuses on AiTM credential phishing delivered by email, additional variants can be scoped on request: SMS phishing (smishing), QR-code phishing (quishing), and payload-based phishing that delivers malicious attachments instead of credential-capture pages for testing endpoint and EDR detection. Speak to us during the scoping call about which variants would best support your testing objectives.
Yes. On request, we issue a formal Letter of Attestation summarising the engagement scope, campaign period, methodology followed, and high-level outcome. The attestation is suitable for audit, regulatory submission, and third-party assurance purposes, including HKMA C-RAF 2.0, HKIA GL20, SFC, PCI DSS, ISO/IEC 27001, SOC 2, and similar obligations.
Schedule a scoping call with our specialists to define the right campaign scope for your environment, audience, and timeline. We will walk you through methodology, deliverables, and next steps.