Yes. All campaigns are conducted with written authorization from your organization. We follow responsible disclosure practices and never target personal accounts or systems outside the agreed scope.

Will employees know they are being tested?

That's up to you. Most organizations run blind campaigns for realistic results, then reveal the simulation during the awareness debrief. We recommend informing your works council or HR in advance.

What happens when someone clicks?

They see a branded awareness page explaining that this was a simulation, what they should have looked for, and how to report suspicious emails. No data is stored beyond aggregate statistics.

Can you simulate MFA-bypass attacks?

Yes. Our Professional and Enterprise tiers include adversary-in-the-middle (AitM) attacks using Evilginx. This tests whether your MFA implementation holds against real-world session hijacking techniques.

How do you handle sensitive data?

We never store actual passwords. Credential submissions are recorded as hashed indicators for reporting purposes only. All campaign data is processed in compliance with GDPR and deleted after the agreed retention period.

Can we choose the phishing scenarios?

Absolutely. We work with you during scoping to select scenarios that are relevant to your organization — from generic credential harvesting to highly targeted spear-phishing pretexts.

Phishing Simulation – Test Your Human Firewall

Name: Tinte
Price: 9.99 EUR
Author: Tinte

Realistic attack simulations that reveal how your employees respond to phishing, credential harvesting, and MFA-bypass attacks — before a real attacker does.

Request a Campaign

Why Awareness Training Alone Falls Short

91% of cyberattacks start with a phishing email. Your employees are the most targeted entry point — and the hardest to patch.

Generic training slides don't change behavior. People need to experience a realistic attack to build lasting instincts.

Compliance frameworks like NIS2 and ISO 27001 require documented evidence of security awareness — not just a checkbox.

Without measurable data on click rates, credential submissions, and MFA bypass success, you're flying blind on human risk.

What We Deliver

Realistic Campaign Design

Custom phishing scenarios tailored to your industry and internal processes. From IT-support pretexts to HR and O365 lures — indistinguishable from real attacks.

MFA-Bypass Simulation

Advanced adversary-in-the-middle attacks using Evilginx to test whether your MFA actually holds. The same technique real threat actors use.

Branded Landing Pages

Pixel-perfect replicas of your login portals and internal tools. Custom branding makes the simulation realistic and the training memorable.

TINTE Dashboard Integration

Live campaign tracking, click-rate analytics, credential submission stats, and per-department breakdowns — all in your TINTE dashboard.

Transparent Pricing

Fixed-price campaigns. No hidden fees. Choose the scope that fits your organization.

Basis

€1,490one-time per campaign

SME up to 100 employees

1 phishing campaign
1 attack scenario (e.g. IT Support)
Up to 100 target addresses
Standard landing page
Click & credential tracking
PDF report (5–8 pages)
No follow-up support

Request a Campaign

Recommended

Professional

€2,990one-time per campaign

SME with 100–500 employees

2 phishing campaigns
2 scenarios (e.g. O365 + HR)
Up to 500 target addresses
Custom landing page (your branding)
MFA-bypass simulation (Evilginx)
Detailed report (10–15 pages)
Executive summary for management
1h results presentation
Awareness recommendations

Request a Campaign

Enterprise

from €5,500custom scope

Enterprise 500+ employees / annual contract

Up to 4 campaigns per year
Unlimited target addresses
Multi-vector (mail + SMS + voice)
Spear-phishing targeted at VIPs
TINTE dashboard integration
Individual reporting & KPIs
Awareness training module
Semi-annual review meeting
Framework contract / retainer possible

Request a Campaign

All prices excl. VAT. Enterprise pricing based on individual scoping.

How We Run a Campaign

Scoping & Kickoff

We define campaign goals, target groups, attack scenarios, and timing. Joint agreement on rules of engagement and escalation paths.

Campaign Design

We craft phishing emails, build branded landing pages, and configure tracking infrastructure. Every detail is designed to mirror a real attack.

Execution

Phishing emails are sent in waves to your employees. Click rates, credential submissions, and MFA-bypass attempts are tracked in real-time.

Analysis & Reporting

Full breakdown by department, role, and scenario. Executive summary for leadership and detailed technical report with benchmarks.

Awareness Debrief

Interactive walkthrough of results with your team. We show exactly what happened, why it worked, and how to spot it next time.

Retest (Enterprise)

Follow-up campaign to measure improvement. Track behavioral change over time and demonstrate ROI of your awareness program.

Certifications & Qualifications

Our experts hold industry-recognized certifications.

OSCP

Offensive Security Certified Professional

PNPT

Practical Network Penetration Tester

PJPT

Practical Junior Penetration Tester

GOSI

GIAC Open Source Intelligence (SANS SEC497)

All services are delivered by Kaplan GmbH (Hamburg, Germany).

Frequently Asked Questions

: Yes. All campaigns are conducted with written authorization from your organization. We follow responsible disclosure practices and never target personal accounts or systems outside the agreed scope.
: That's up to you. Most organizations run blind campaigns for realistic results, then reveal the simulation during the awareness debrief. We recommend informing your works council or HR in advance.
: They see a branded awareness page explaining that this was a simulation, what they should have looked for, and how to report suspicious emails. No data is stored beyond aggregate statistics.
: Yes. Our Professional and Enterprise tiers include adversary-in-the-middle (AitM) attacks using Evilginx. This tests whether your MFA implementation holds against real-world session hijacking techniques.
: We never store actual passwords. Credential submissions are recorded as hashed indicators for reporting purposes only. All campaign data is processed in compliance with GDPR and deleted after the agreed retention period.
: Absolutely. We work with you during scoping to select scenarios that are relevant to your organization — from generic credential harvesting to highly targeted spear-phishing pretexts.

More Services

Penetration Testing

Full-scope attack simulation of your IT infrastructure.

Vulnerability Assessment

Continuous vulnerability analysis and prioritized management.

External DPO

GDPR compliance as a service — backed by cybersecurity expertise.

Ready to Test Your Team?

Find out how your organization responds to a realistic phishing attack — before a real attacker does.

Request a Campaign

No obligation · Response within 24 hours