Email Attack Simulation

Put your email security to the test

See what's happening in your email security and close critical gaps fast with the industry's largest collection of anti-phishing tests — no allow-lists required.

Request Simulation Download Report
attack_simulation_results_hero_visual

Trusted by leading organizations — from 500 to 37,000 employees

die_post_logo_white
cern_logo_white
juliusbaer_logo_white
swisscom_logo_white
implenia_logo_white
hoval_logo_white
vontobel_logo_white
haufe_logo_white
visana_logo_white
soh_logo_white
kirchhoff_logo_white
netcetera_logo_white
finnova_logo_white
alto_logo_white
climeworks_logo_white
coop_logo_white
usz_logo_white
galencia_logo_white

Uncover gaps before attackers do

And fix them fast. With more than 160 attack scenarios across phishing, BEC, malware, and extortion scams, our simulation shows you exactly with which techniques attackers can bypass your stack and where tuning is needed.

Stay ahead of the latest email attack techniques

Our research team matches new email threats to attack and evasion techniques (TTPs) as they emerge, continuously adding new test cases to the simulation, so you can catch today what attackers use tomorrow.

Build the case for IT security investment – without guesswork

Show leadership exactly where your stack falls short and which improvements matter most. Replace gut feeling with evidence, sharpen priorities with data, and secure the budget you need.

Ready to put your email security to the test?

Gain an attacker’s view of your environment and identify opportunities to strengthen protection. Get evidence of your real email security posture — no configuration changes and without disrupting mail flow.

The email attack simulation is available for CHF 1,750.

Frequently Asked Questions

Are these real attacks seen in the wild?

Yes. All our test cases are based on campaigns observed by xorlab’s research team and mapped to real-world attacker techniques.

Which attack types and techniques are included?

The simulation covers phishing, BEC, malware, extortion scams, and includes modern evasion and deception techniques such as QR codes, HTML smuggling, and AI-generated lures.

Are the emails safe to interact with during the simulation?

The simulation runs in a dedicated mailbox that only you can access. Interaction is not required or encouraged. All tests are controlled and designed to evaluate detection capabilities without risk.

How should we interpret the results — are they good or bad?

Results show, per test case, whether controls behaved as expected. A xorlab expert reviews the findings with you, explaining risks, context, and improvement opportunities.

Can we benchmark our results against similar organizations?

Yes. Your results can be compared to organizations of similar size, industry, and setup to put your email security posture into context.

Do we need to whitelist domains or weaken controls?

No. Security tests should reflect real-world exposure. That’s why the simulation runs without allow-lists or exceptions.

How quickly will we see results?

Once a dedicated test mailbox is set up, results are delivered within one week — typically sooner.