Not everyone is an equal target.
Most programmes train everyone the same way. The evidence says that's a poor use of budget. A small proportion of people account for the vast majority of incidents. The question is whether you're training them accordingly.
of employees account for 80% of security incidents. The same generic training is reaching all of them.
Verizon Data Breach Investigations Report, 2025
Most programmes spend the budget in the wrong place.
If a small proportion of people are driving the vast majority of incidents, the maths on a one-size-fits-all training programme doesn't work. You're spending most of your time, money, and effort on the 92% who aren't your biggest problem, and giving your highest-risk individuals nothing more targeted than the module everyone else clicked through.
Finding your 8% takes work. It requires looking at role profiles, access levels, call volumes, and historical incident data. That's your job, not ours. But the evidence on where to start that investigation is consistent: certain roles are targeted more frequently, more deliberately, and with more sophisticated attacks than the rest of the organisation.
The attack is designed around the role. The training should be too.
Starting your targeted programme with these roles isn't a guess. It's the most logical place to direct resource while you build a fuller picture of where your specific risk actually sits.
The roles attackers call first.
Payment diversion, invoice fraud, and urgent transfer requests are the most financially costly social engineering attacks. Finance teams are trained to act on authority and move quickly. Attackers exploit both.
Personal data, bank details, payroll adjustments, and staff information are all accessible through HR. Impersonation attacks targeting this function are consistently high-volume and high-success.
Executive assistants manage calendars, travel, finances, and communications on behalf of the most senior people in the organisation. They're a proxy for executive authority and a frequent target for impersonation attacks.
IT support staff are trained to help. Attackers use that instinct to extract credentials, reset access, and disable controls. The helpdesk is one of the most consistently exploited entry points in social engineering attacks.
This isn't your full list. These are the most commonly targeted roles across organisations. Your actual 8% may include people in entirely different functions depending on your sector, structure, and risk profile. The right approach is to use these as a starting point for the investigation, not as a definitive answer.
Three products. One focused approach.
Generic training reached these people already. It didn't work. What works is role-specific rehearsal, real pressure testing, and structured decision-making at the executive level.
AI-powered vishing simulations built specifically for the roles attackers actually call. Finance gets payment diversion scenarios. HR gets personal data requests. IT helpdesk gets credential harvesting calls. The pressure is real. The consequences aren't.
Start with training and a practice line so people understand what they're preparing for. Then run live simulations against the target cohort. Results identify who responded well, who needs support, and where the programme should focus next.
The Breach and The Heist are the most directly relevant scenarios for high-risk roles. The Breach puts teams inside a ransomware investigation, tracing the social engineering that started it. The Heist puts them in the attacker's shoes. Both build the instinct that CTRL+Vish then tests.
Run ESC before CTRL+Vish. Use it as the rehearsal layer: people experience the attack mechanics in a safe environment first, then get tested under real pressure. The sequence matters. Pressure-testing people who've never seen the attack pattern produces worse results and worse feelings about the programme.
CMD is built for executive teams and incident response functions. It's not a training session. It's a structured decision-making exercise that puts leadership through a realistic breach scenario and tests how they respond, escalate, communicate, and decide under pressure.
Run CMD with your exec team and incident response leads separately from the broader high-risk cohort. The questions it surfaces (who has authority to do what, when, and how) are different from the questions that come out of a CTRL+Vish simulation, and they need a different kind of space to be answered properly.
Built for the calls your highest-risk people actually receive.
A caller impersonates a senior leader or supplier with an urgent payment request. The scenario tests whether the participant follows verification procedures under time pressure and authority pressure simultaneously.
A caller impersonating a colleague or manager requests a payroll change or personal data update. Tests the participant's ability to verify identity and resist social pressure without creating a confrontational interaction.
A caller impersonating a user, manager, or third-party provider needs urgent access restored or credentials confirmed. Tests whether IT support staff can challenge without alienating and verify without being bypassed.
CTRL+Vish supports fully bespoke vishing simulations built around your organisation's specific risk profile, internal terminology, known attack patterns, and operational context. If your 8% sit in a role not listed here, we can build for it.
"The Cyber Escape Room experience was a game-changer for our security awareness training. Our teams were fully engaged, with participants describing the sessions as 'actually fun', something you rarely hear about cyber security training. The games weren't just entertaining. They were a powerful tool for driving home critical security messages."
Cyber Human Risk Manager, SP Energy Networks
Know your 8%. Train them accordingly.
We'll help you build a targeted programme for your highest-risk roles. No generic training. No wasted budget on the people who aren't your biggest problem. Tell us where you're starting from.