Phishing Controls Validation
elite infosec, critical infrastructure, high impact, compliance
Tags:
Type
1st-Party
Key Roles
CISO, vCISO
Key Feature Aspects:
rigorous, scalable, continuous, easy
About this Use Case
LIVING DOCUMENT
Progress Updated Periodically
BreachRisk can be used to test multiple layers of the email security stack. We don’t just test delivery and opens. In our approach to spearphishing, we automatically find targets, execute campaigns, and launch tests. However, like attackers, we avoid detection and we focus on completing a specific objective. Along the way, email security controls might defeat our attempts. This allows for testing of the all or most of the email security stack.
Success Summary
Why BreachRisk™ is a good fit
Our “set it and forget it” automated approach will notify administrators when we’ve been able to actually exploit employees. Our risk calculus gives credit when our attacks are defeated, and administrators can see exactly which controls worked.
Barriers or misconceptions
You wouldn’t whitelist attackers, so you won’t whitelist us. Staying ahead of evolving email security is a challenge but keeps our service incredibly potent and realistic.
Key outcomes
Advanced organizations and rating schemes (e.g. insurance) need accurate indications of email risk and reduced false positives.
Discussion
Typical phishing services require you to provide a list of users/emails, whitelist deliver, and closely manage campaigns. That can accomplish a very baseline level of understanding of your phishing risk, but it ignores majors sources of risk and doesn’t give enough credit for security controls.
BreachRisk phishing services don’t require any of that. Don’t tell us who your users are. Don’t whitelist us. Don’t manage the campaign. Those are our problems to solve. And this approach means you’ll see what attackers can actually do, and which of your controls are actually working.
We have numerous customers using our phishing services.