Social Engineering Assessments

Social engineering is the most commonly used tactic across all levels of adversaries to gain unauthorized access into a network. While many organizations attempt to implement a policy and technical capabilities to mitigate against this threat, network intrusions through social engineering attacks are often still highly successful. A proven way to assess an organization’s risk to these threats is to test the effectiveness of existing technical and organizational protections, starting with the security awareness of personnel.

Altonace’s social engineering assessments are designed to help our customers effectively evaluate the risk of social engineering attacks to their organizations, identify breakdowns in protections and implement remediation strategies to improve organizational security posture. Altonace utilizes processes developed over dozens of engagements to evaluate weaknesses in our customers’ identification and response activities, and ensure attempts to gain unauthorized access to critical information and systems are promptly addressed. Our results assist in augmenting a robust security program, tailored to mitigate the most common and devastating attack vectors used today.


Our social engineering assessments can be used to collect statistics on personnel susceptibility, or even be utilized as an attack vector of the penetration test. Assessments are tailored specifically for customer requirements, with planned activities based on attack vectors to be tested and the end objective (security awareness, attack mitigation testing, etc). Regardless of the social engineering techniques used, our team ensures that testing activities remain in a controlled environment. The results are analyzed and business impact is assessed to provide actionable steps towards remediation.

Our Social Engineering Services Include:

Open Source Intelligence Gathering – Public organizational (organization-wide or targeted components) attack surface presented for social engineering attackers

Spear Phishing – Targeted emails to designated personnel utilizing various levels of sophistication based on the threat emulated (click counting, credential gathering, up to full payload delivery depending on the objective)

Pretexting/Cold-calling – Phone based social engineering to gather critical information

Physical – Onsite activities including attempts to gain access to specific locations, unauthorized physical network access, baiting, tailgating, dumpster diving, USB drops, etc.