Phishing Simulation Services, Run by Practitioners, Not Platforms
Phishing simulation tests how an organization actually responds when a credible attacker reaches its people. Bespoke campaigns built on current threat-actor tradecraft, scoped and reported by senior offensive-security practitioners with 10+ years in the field.
What lands in your finance team's inbox today comes from a recently compromised supplier domain, references a real invoice number from a leaked email thread, and is followed by a phone call using your CFO's recorded voice. Generic awareness templates train people to spot threats no attacker is sending, manufacturing false confidence operational security can't recover from. HackersHub designs pretexts from current threat-intelligence on the actor groups targeting your sector, mirrors their delivery infrastructure, and measures what the human response actually looked like.
What is a phishing simulation?
A phishing simulation is a controlled, authorised attack against your own workforce that replicates how a real adversary would try to deceive your people, through email, voice calls, SMS, or OAuth consent prompts. The goal is not to catch employees out. It is to measure how your organisation actually responds under credible pressure: who reports, how quickly, who clicks, and whether your detection and response process holds. HackersHub runs each simulation as a bespoke offensive engagement scoped to your environment, not a generic template blast, and reports the human response in operational terms you can act on.
Simulation Attack Vectors
Explore our diverse range of simulation attack vectors.
Credential Harvesting
Realistic fake login pages that test if employees will submit their credentials to suspicious sites.
Dummy Malware Installation
Safe simulated malware payloads that track who downloads and attempts to open suspicious attachments.
Click Fix Exploitation
Test employee response to fake software update prompts and technical support scams.
Phone Phishing (Vishing)
Voice-based social engineering tests using phone calls to verify employee security protocols.
SMS Phishing (Smishing)
Text message-based phishing campaigns testing mobile device security awareness.
Spear Phishing Campaigns
Highly targeted campaigns tailored to specific roles, departments, or individuals within your organization.
Key Features
Empowering your security awareness program with advanced capabilities.
Integrated Security Awareness Training
Simulation results are directly integrated into customized training sessions, addressing specific vulnerabilities discovered during testing.
Continuous Phishing Programs
Monthly phishing campaigns to maintain ongoing awareness and track improvement over time.
Management Dashboard Access
Managers get real-time access to dashboards showing campaign results, click rates, and employee progress tracking.
Tailored Rules of Engagement
Each campaign is customized based on your organization's specific requirements, industry regulations, and comfort level.
Detailed Performance Metrics
Track click rates, credential submissions, reporting behavior, and improvement trends across all campaigns.
Risk-Based Targeting
Identify high-risk users and departments for targeted intervention and additional training.
How We Deliver Phishing Simulations
Our proven methodology for effective phishing simulations.
Rules of Engagement
Define campaign scope, attack vectors, intensity levels, and establish clear boundaries for your organization.
Custom Campaign Design
Create spear phishing scenarios tailored to your industry, roles, and current threat landscape using realistic tactics.
Simulation Deployment
Launch multi-vector campaigns including email, SMS, phone calls, and other attack methods based on your engagement.
Real-Time Monitoring
Track employee responses across all attack vectors with immediate visibility into vulnerabilities.
Integrated Training Delivery
Deliver customized security awareness training incorporating actual simulation results and identified vulnerabilities.
Continuous Assessment
For continuous programs: ongoing monthly campaigns with management dashboard access for tracking long-term progress.
Program Options
Choose the program that best fits your organization's needs.
One-Time Assessment
Single comprehensive phishing campaign with integrated training session to establish baseline awareness.
Continuous Phishing Program
Monthly phishing simulations with management dashboard access, tracking employee progress and maintaining security awareness over time.
Training Integration
All programs include security awareness training sessions that incorporate real simulation data from your employees' performance.
Who Benefits Most?
Phishing simulation is essential for organizations of all sizes. From SMBs establishing baseline security awareness to enterprises maintaining continuous vigilance, our programs adapt to your maturity level. Particularly valuable for compliance requirements (SOC 2), industries handling sensitive data, and organizations undergoing digital transformation or remote work transitions.
What You'll Receive
Phishing Simulation FAQ
The questions enterprise buyers ask us most often, answered straight.
How much does a phishing simulation campaign cost?
Phishing simulation engagements at HackersHub are scoped per organisation, there is no fixed price list. Cost depends on workforce size, channels in scope (email, voice, SMS, OAuth), depth of pretext development, reporting requirements, and whether the engagement is one-shot or continuous. A scoping call typically takes 30 minutes and produces a fixed-scope written proposal within five working days.
How often should we run phishing simulations?
For mature security programmes, continuous quarterly campaigns are the operational baseline, sustained pressure-testing exposes drift, while annual snapshots only validate a single moment in time. For organisations earlier in their programme, a deep one-shot campaign followed by a structured 90-day re-test is the right starting cadence. Cadence should match your threat exposure, not a generic calendar.
Is phishing simulation legal in the Netherlands and the EU?
Yes, when properly scoped. Phishing simulation against your own workforce is legal under EU and Dutch law provided there is a documented legal basis (typically employer interest or consent), works-council notification where applicable under the Wet op de Ondernemingsraden, GDPR/AVG-compliant data handling, and a written rules-of-engagement agreement. We handle the legal scoping as part of every engagement, clients do not need their own legal team to draft the framework.
Do we need to inform employees in advance?
The right answer depends on your objective. If you are testing operational response, how quickly the SOC detects and contains an attack, employees should not be pre-warned, as this changes behaviour. If you are running an awareness intervention with measurable behavioural change as the goal, broad pre-notification of the programme (not specific campaigns) is appropriate. We help clients land the right position with works-council and HR during scoping.
How is this different from KnowBe4, Hoxhunt, or Proofpoint?
Awareness platforms ship templates at scale, the model is high-volume, low-fidelity simulation against generic lures. HackersHub runs bespoke offensive engagements built from current threat-actor tradecraft, executed by senior practitioners, scoped per environment. Platforms answer: what percentage of our staff clicked a generic lure last month? We answer: would your finance team transfer money to a domain registered yesterday after a voice call from a deepfaked CFO? Different question, different methodology.
What is the difference between phishing simulation and red teaming?
Phishing simulation tests human response to social-engineering attacks against a defined population. Red teaming is a goal-based adversary simulation, typically compromise this asset or exfiltrate this data within this window, which often uses phishing as one initial-access vector among many, alongside infrastructure attack, physical intrusion, and supply-chain pivots. When a phishing programme has matured to the point where a click-rate baseline is stable, the next step is usually goal-based red teaming.
What does a typical campaign look like end-to-end?
Six to ten weeks. Week one to two: scoping, threat-intelligence work, legal and works-council alignment. Week three to four: pretext development, infrastructure build, internal sign-off. Week five to seven: campaign execution with staggered sends and multi-channel orchestration. Week eight to nine: analysis and reporting. Week ten: debrief workshop and remediation planning. Continuous programmes run on rolling quarterly cycles inside this same shape.
How do you measure success beyond click rate?
Click rate alone is misleading. We measure five dimensions: report rate (did anyone flag the lure?), report-time (how quickly?), credential-submission rate, dwell time before disengagement, and SOC detection latency. The interaction we care most about is reporting, a workforce that reports phishing within minutes is operationally stronger than a workforce with a low click rate that reports nothing.
Can you simulate vishing and smishing as well as email phishing?
Yes. Voice phishing (vishing) and SMS phishing (smishing) are in scope for any engagement where the rules of engagement permit. Multi-channel campaigns, where an email lure is followed up by a phone call from a number that matches the apparent sender, or where an SMS arrives ahead of an email to legitimise it, replicate current threat-actor tradecraft and are the most realistic simulation we run.
Will the HackersHub team work with our incident-response team during the engagement?
On request, yes. Some clients want their SOC blind to the engagement so we can measure unprompted detection. Others want the SOC informed at a senior level so the engagement doubles as a tabletop for their detection-and-response playbooks. Both shapes are valid; we agree the position during scoping.
Ready to Test Your Team?
Schedule a consultation to discuss your phishing simulation needs and rules of engagement.