Initial Access Assessments

Why initial access is the decisive phase

Most successful attacks start the same way: with a convincing email, a credible phone call or a service that is reachable from the outside. The first foothold, the initial access, is the phase that decides whether an attack attempt turns into a security incident.

The decisive question is not whether someone in your organisation clicks on a well-crafted phishing email. With sufficiently convincing campaigns, that is exactly what happens. The question is what happens then: do your technical controls hold? Do the reporting channels work? How long does it take until someone notices the attack?

Awareness training, mail filters and policies are important building blocks. Whether they actually hold up in combination only becomes visible once someone challenges them under realistic conditions. That is exactly what an initial access assessment is for: it turns assumptions about your first line of defence into verifiable results.

We answer these questions with the same methods real attackers use - controlled, documented and without damage to your organisation.

The attack vectors we use

We combine the channels through which attackers actually break into organisations today. Which of them come into play is something we define together during scoping:

• Email phishing: tailored campaigns with convincing lookalike domains and landing pages, built for your organisation instead of pulled from a template library.
• Vishing: phone-based manipulation with spoofed caller ID, for example posing as IT support or an external service provider.
• CEO fraud: impersonation of senior staff to push employees into actions they would otherwise question.
• USB drops and prepared hardware: distribution of manipulated storage media and devices.
• External perimeter attacks: attacks on the externally reachable services of your infrastructure, the second major route into the network alongside the human factor.
• Physical access: optional, on request combined with a physical security assessment.

The strength lies in the combination: a phishing email becomes far more credible when a supposed IT employee calls shortly afterwards and refers to exactly that email. Multi-stage scenarios like these reflect how real attackers operate far better than any single channel on its own.

On request we extend the assessment with social media outreach using fake identities, prepared submissions through online forms such as job application portals, or purpose-built custom malware to test the effectiveness of your XDR system.

How an initial access assessment runs

An initial access assessment is not a tool you switch on, but a guided engagement. Every assessment moves through four steps, from joint scoping to the final analysis - closely coordinated so that your day-to-day operations are not disrupted.

1. Scoping and rules of engagement

Together we define objectives, permitted vectors, time windows and escalation paths. This is also where we settle organisational questions such as works council involvement and data protection, and how captured credentials are handled. Only a small circle inside your organisation knows about the assessment, so the results stay meaningful.

2. Recon and OSINT

Like a real attacker, we gather publicly available information about your organisation: exposed services, technologies in use, organisational structure and publicly visible profiles. This is the basis for credible scenarios, matching domains and convincing landing pages.

3. Campaign execution

The campaigns run staggered and under control. Instead of a single bulk email, we work in targeted waves and continuously adapt our approach, just as a real attacker would. Every interaction is documented, traceable at any time and can be stopped through the agreed escalation paths.

4. Analysis and evaluation

We evaluate all results in aggregated form, reconstruct the possible attack paths and translate them into concrete measures. We look not only at what worked for us as attackers, but also at which controls held and where detection and reporting performed well. In the debrief we walk through the findings together.

Your employees are never put on show

An initial access assessment tests your organisation, not individual people. All results are anonymised and aggregated: the report contains rates and patterns, not names. We report that clicks happened and what they would have made possible - not who clicked.

That is a deliberate choice. A security culture in which employees fear being pilloried for a click reports incidents late or not at all. Those who are allowed to learn without blame report faster - and exactly this willingness to report is one of your organisation's most important lines of defence.

How and when your staff are informed after completion is something we align with you during scoping. Communicated well, the assessment becomes a learning moment for the whole organisation instead of a declaration of distrust.

Initial access as part of a red teaming assessment - or standalone

In a full red teaming assessment, initial access is the first phase: the foothold gained there is the starting point for lateral movement, privilege escalation and reaching defined objectives.

As a standalone assessment, the test ends at a point defined upfront, for example with proof that code execution or access to credentials would have been possible. That makes initial access assessments a good entry point: less involved than a full red teaming engagement, but with a realistic picture of your first line of defence. If you want to go deeper later, the results feed directly into a red teaming assessment - and you have a solid basis for deciding where further investment in your defences pays off most.

What you get

At the end you get more than the answer to whether we would have got in - you get a package you can work with directly:

• Detailed report: every campaign, scenario and possible attack path documented in a traceable way, for both technical teams and management.
• Metrics from the engagement: your organisation's click, submission and reporting rates as concrete measurements, anonymised and aggregated.
• Prioritised recommendations: technical and organisational measures, sorted by impact and effort.
• Debrief: a personal presentation of the key findings, on request separately for management and technical teams.

Frequently asked questions

What is the difference between an initial access assessment and a phishing simulation tool?

A simulation tool sends pre-built bulk emails and measures click rates, mainly as a building block for awareness training. An initial access assessment is a manually driven attack: we research your organisation, register convincing lookalike domains, build individual landing pages and combine several vectors on request. This shows not just who clicks, but what a real attacker would make of that click.

Are employees named in the report?

No. All results are aggregated and anonymised. The report contains rates, patterns and attack paths, not names. The goal is to improve technology, processes and reporting channels, not to expose individuals.

Is this kind of assessment legal?

Yes, within the jointly agreed framework. Before we start, the rules of engagement define which vectors are allowed, when we test and how captured data is handled. Topics such as works council involvement and data protection are aligned upfront, so the assessment rests on a clean foundation.

How long does an initial access assessment take?

That depends on the number of vectors and campaigns. A focused assessment usually takes two to four weeks from scoping to debrief; combined scenarios with several campaigns take correspondingly longer. We define the exact scope together during scoping.

What happens if nobody falls for the campaign?

That is a valuable result too, but rarely a reason to relax. We then evaluate how quickly the attack was reported, whether the reporting channels worked and how your filters responded. A single campaign without clicks doesn't prove immunity, and the external perimeter remains an attack surface regardless.