Sandline — Risk Based Security
Services

Human Vulnerability

Phishing simulation, vishing and physical-access exercises that measure how your people behave under realistic social-engineering pressure.

How we work

Phishing is the leading vector for confirmed breaches and the most under-tested control in most security programmes. Sandline runs phishing campaigns, vishing exercises and (with explicit authorisation) physical-access tests that measure click-through, credential-disclosure and reporting rates against role and team. The output is not a "shame leaderboard" — it is a quantified, role-based view of human risk that feeds into your training plan and your privileged-access design.

Outcomes

  • Quantified phishing susceptibility per role and team, baselined and trended quarter on quarter
  • Targeted training recommendations for the roles and teams that need it most
  • Detection signal validation for your email-security stack
  • Audit evidence that NIS2 and ISO 27001 awareness obligations are operationalised

Deliverables

  • Campaign design document with realistic pretexts
  • Per-role susceptibility report
  • Training recommendations
  • Email-security control gap analysis

Engagement Workspace · 90 days free

Included with this engagement: a Centraleyezer SaaS deployment for 90 days where you generate reports on demand. At day 90 it either closes (your DOCX/PDF reports and attestation letter stay with you) or extends as a paid SaaS subscription if you want to keep using it.

Frequently asked

Will employees know it is a drill?

Real users are not informed before the drill — that is the only way the data is meaningful. Results are reported per role, never per individual; we do not enable shaming. The CISO and HR lead approve the campaign design before it runs.

What pretexts do you use?

Pretexts modelled on the actual phishing campaigns hitting your sector — payroll-themed for finance teams, sandboxed-document-share for engineering, courier-tracking for ops. We never use bereavement, medical or family-emergency pretexts.

Do you test physical access?

Only with explicit written authorisation, with a named point of contact reachable by phone during the test, and only at locations you specify. We do not perform physical-access tests against staff residences or against sites you do not own or operate.

How does this satisfy NIS2 and ISO 27001?

NIS2 Article 21(2)(g) requires basic cyber hygiene practices and security awareness training. ISO 27001 Annex A.6.3 requires the same with documented evidence. Our deliverable includes per-role assessment and an attendance/completion record auditable against both controls.

Book a 30-minute call

Tell us about the regulation you need to satisfy and the systems in scope. We will come back with a scoping note and a fixed-price proposal within three working days.

Book a consultation