Gain an attacker’s view of your environment and identify opportunities to strengthen protection. Get evidence of your real email security posture.
No configuration changes
Without disrupting mail flow
Trusted by leading organizations — from 500 to 37,000 employees
Frequently Asked Questions
Are these real attacks seen in the wild?
Yes. All our test cases are based on campaigns observed by xorlab’s research team and mapped to real-world attacker techniques.
Which attack types and techniques are included?
The simulation covers phishing, BEC, malware, extortion scams, and includes modern evasion and deception techniques such as QR codes, HTML smuggling, and AI-generated lures.
Are the emails safe to interact with during the simulation?
The simulation runs in a dedicated mailbox that only you can access. Interaction is not required or encouraged. All tests are controlled and designed to evaluate detection capabilities without risk.
How should we interpret the results — are they good or bad?
Results show, per test case, whether controls behaved as expected. A xorlab expert reviews the findings with you, explaining risks, context, and improvement opportunities.
Can we benchmark our results against similar organizations?
Yes. Your results can be compared to organizations of similar size, industry, and setup to put your email security posture into context.
Do we need to whitelist domains or weaken controls?
No. Security tests should reflect real-world exposure. That’s why the simulation runs without allow-lists or exceptions.
How quickly will we see results?
Once a dedicated test mailbox is set up, results are delivered within one week — typically sooner.
