Social Engineering & Security Awareness — Authorized Phishing, Physical, and Wi-Fi Assessments

Social engineering and security-awareness work assesses the human and physical perimeter that surrounds a connected product or a business. A technically secure system can still be compromised through a phishing campaign that lands a valid credential, a building visit that yields network access, or a Wi-Fi assessment that surfaces unmanaged corporate access points. Most engagements at this level start as a leadership team asking “how would our staff actually do in a realistic test.”

Melina runs this work under written authorization with signed rules of engagement, agreed safe-stop conditions, and a clear scoping conversation about what we will and will not do — both as a matter of ethics and as a matter of operational discipline. Unauthorized social engineering is illegal; authorized social engineering is a defined assessment activity with documented boundaries.

What this service covers

Authorized phishing assessment

Phishing campaigns simulated against an agreed user population, scope, and difficulty profile. Common variants include credential-harvest campaigns (test sign-in pages with logging), reply-chain campaigns (existing legitimate threads hijacked under controlled conditions), and business-process campaigns (invoice, vendor-change, payroll-update). Each variant has a different evaluation purpose: credential harvest measures lure susceptibility, reply-chain measures detection muscle, business-process measures process discipline.

The assessment reports per-population susceptibility rates, dwell time from delivery to first interaction, and post-click behaviour patterns. We do not name individuals in the report unless explicitly scoped to do so.

Physical-access assessment

Authorized physical visits with documented objectives — typically reception walk-in, tailgating, controlled-area access, or sensitive-area access. Every visit operates under a written authorization letter carried by the assessor and a pre-arranged escalation contact who can confirm the engagement if challenged. The objective is to assess the controls (access, badging, visitor logging, escort discipline) rather than to find the one path that works once.

We use this engagement type primarily for enterprise security programs, secure-area certification readiness, and post-incident control validation.

Wi-Fi penetration testing

Wi-Fi assessment under written authorization for the specific networks in scope, with the limitations and clean-up actions documented before testing starts. Common findings: unmanaged corporate access points alongside the managed estate, captive-portal weaknesses, certificate-handling issues in enterprise authentication, and segmentation gaps between guest, corporate, and operational networks.

This work is technical in execution but the operational implication is usually organisational — the gaps surface because access-point inventory and segmentation policy have drifted from the documented baseline.

Awareness program design and tabletop

Some engagements are not about testing but about designing the next assessment cycle and helping the awareness program land. We deliver tabletop sessions, executive briefings, and program-design advisory work tied to assessment results — turning findings into something the awareness team can run with.

Engagement structure

Social-engineering and awareness work runs as Custom Engagement or as a recurring strand inside a Retainer — it does not fit the Fixed Package frame because every scope decision (who’s in target population, what variants are run, where physical engagement is authorised) is engagement-specific.

A typical engagement runs:

• Week 1: scoping, written rules of engagement, signed authorisation letter, agreed evaluation criteria
• Weeks 2–4: campaign execution / physical visits / Wi-Fi assessment under the authorised scope
• Week 5: report (executive summary + technical findings + per-population rates + recommendations), tabletop debrief with the security/awareness team

Pricing is finalised after scoping. The variable cost driver is target-population size for phishing, and number of authorised visits for physical work.

What this engagement is not

We do not run unauthorised social engineering against any party — internal or external — under any circumstance. We do not name individual employees in published reports without explicit written authorisation. We do not chain social-engineering findings into operational follow-on (lateral movement, persistence, exfiltration) unless that operational chain is explicitly scoped as part of a Red Team engagement rather than as a security-awareness assessment.

Related

• Service: Red Team Operations — when the question is “what would a real adversary achieve” rather than “how would our staff do”
• Solution: Pre-Launch Product Security — when awareness work is part of a broader pre-launch readiness program
• Methodology: Six-stage engagement methodology
• Engagement model: Custom Engagement · Retainer