APS Methodology

The APS Kill-Chain

Adversarial Phishing Simulations go beyond generic fake emails. We replicate the sophisticated, targeted attacks that break through traditional defences by applying offensive security principles and adopting real threat actor tactics.

Enquire Today
Real-World Threat Actor Tactics

A Three-Phase Approach

The APS Kill-Chain maps the full lifecycle of a realistic phishing campaign — from reconnaissance and pretext development through to delivery, exploitation, and outcome analysis.

Each phase mirrors the steps a real attacker would take, ensuring your workforce is tested against genuine threat behaviour rather than recycled templates. This structured methodology is what separates Adversarial Phishing Simulations from traditional compliance exercises.

Reconnaissance

Gathering intelligence — job roles, technology stacks, suppliers, and public data.

Pretext Development

Creating realistic narratives with credible branding, relevant context, and familiar tone.

Delivery Mechanism

Deploying across multiple channels — email, SMS, AI-voice calls, and QR codes.

Bypass Technical Controls

Testing defences with lookalike domains, embedded links, redirection, and polymorphic attacks.

Exploit Human Behaviour

Tapping into urgency, concern, and curiosity to test critical thinking under pressure.

Payload Delivery

Simulated credential collection, triggered downloads, or information gathered via AI voice calls.

Detection and Reporting

Portal reporting on employee interactions, trend analysis, and technical debriefs with an Offensive Security Consultant.

Get Started

Ready to Test Your Defences?

Talk to our team about running a threat-intelligence led phishing campaign tailored to your organisation.

Get in Touch
Detailed Breakdown

The Three Phases

Each phase of the APS Kill-Chain is designed to replicate real attacker behaviour at every stage of a phishing campaign.

Reconnaissance — Just as attackers conduct reconnaissance before launching an attack, we gather relevant intelligence to inform the pretext of our simulations:

  • Understanding Job Roles — different roles have varying levels of access and responsibilities, making them potential targets for different types of phishing attacks
  • Analysing Technology Stacks — awareness of the technologies an organisation uses informs the creation of technical lures
  • Identifying Suppliers and Partners — we consider key suppliers and partners to create simulations that mimic communications from these entities
  • Leveraging Public Data — we conduct Open Source Intelligence (OSINT) to uncover information available online to enable highly convincing, personalised attacks

Crafting Believable Pretexts — Generic phishing attempts are easy to spot. APS closely mirrors the threats employees might encounter in daily operations:

  • Realistic Branding — using actual logos, colour schemes, and language of familiar companies, services, and internal communications
  • Contextual Relevance — tailoring subject lines and content to industry trends, departmental operations, or internal announcements
  • Familiar Language and Tone — adopting the communication style commonly used by the impersonated entity
  • Exploiting Current Events — leveraging timely topics that make a phishing attempt seem more legitimate or urgent

Different Types of Lures — We tailor lures to exploit different departments and professional responsibilities:

  • Financial — mimicking urgent payment requests, fraudulent invoices, investment opportunities, or tax-related scams
  • Technical — posing as IT support or a Managed-Service Provider with software updates, warnings about compromised accounts, or critical system errors
  • Social — building rapport or creating a sense of obligation through impersonating colleagues, managers, or HR

Dynamic Stages — Real-world attacks rarely involve a single click. They are multi-stage, progressively luring targets and bypassing security measures:

  • Initial Contact — first communication designed to pique interest or create urgency
  • Action Trigger — a link to a fake login page, or a prompt to provide sensitive information
  • Follow-Up Communication — additional correspondence to verify the initial contact and action request

Multiple Methods of Delivery — Phishing is no longer solely email-based. We offer simulations that reflect this multi-vector reality:

  • Email Phishing — the traditional and still most prominent method, involving impersonation through email communications
  • Smishing — SMS messages containing malevolent links or requests for sensitive information
  • Vishing — phone calls where attackers impersonate trusted entities to extract information
  • Quishing — malicious QR codes that lead to phishing websites or trigger malware downloads

Bypassing Technical Controls — Threat actors are adept at finding ways around technical security measures:

  • Lookalike Domains — domains very similar to real ones to see if employees notice subtle discrepancies
  • Embedded Links — hiding malicious links behind seemingly legitimate text or buttons
  • Redirection Tactics — seemingly safe links that redirect to a phishing site
  • Social Engineering Bypasses — time-sensitive pressure on employees to bypass standard security protocols
  • Polymorphic Attacks — dynamically changing characteristics with each attempt to evade detection

Exploiting Human Behaviour — APS taps into human emotions to test employees’ critical thinking under pressure:

  • Urgency — scenarios that demand immediate action to bypass careful consideration
  • Concern/Fear — threats of data breaches or operational disruption if specific actions aren’t taken
  • Curiosity — intriguing or sensationalised content to entice users to click without proper scrutiny

Adapting Tactics — We operate on a continuous improvement cycle:

  • Regular Simulations — ongoing campaigns to track progress and identify emerging vulnerabilities
  • Evolving Content — adapting content, complexity, and focus based on previous campaigns and the latest threat intelligence

Results Analysis — The Echo Secure Portal provides access to simulation reports and trend analysis. We meticulously track how employees interact with each simulation:

  • Identify Susceptible Groups — pinpoint specific departments, roles, or individuals who may require additional focused training
  • Recognise Behaviour Patterns — understand which types of lures, behavioural triggers, or attack vectors were most successful
  • Highlight Awareness Gaps — determine specific areas where employees demonstrated a lack of understanding or vigilance

Training Webinars — We provide training webinars to lay out clear steps to remediate prevalent weaknesses:

  • Highlight Common Vulnerabilities — pinpoint recurring weaknesses based on real-world attacks and simulation results
  • Explain the Risks — translate technical jargon into understandable business risks
  • Step-by-Step Remediation — practical, actionable steps including policy adjustments, configuration changes, and training strategies
  • Interactive Q&A — sessions for customers to ask specific questions and share challenges
  • Role-Based Training — tailored content for specific departments
  • Bespoke Sessions — webinars based on results and analysis of your simulation campaigns

Strengthen Your Human Defences

Get in touch to discuss how the APS Kill-Chain methodology can transform your phishing simulation programme.

Contact Us
Accreditations

Industry Recognised Standards

CREST Pathway
CRT
OSCP
CRTO