Proprietary Benchmark Methodology

The First Quantified Score for
Human-Layer Risk

Click rates don't tell you if your organization is secure. The Social Engineering Benchmark Score (SEBS) measures how your people, processes, and technology actually perform under AI-powered attacks — giving security leaders a real number they can act on.

92%
Orgs vulnerable to deepfake social engineering
3
Dimensions measured in every assessment
SEBS
Your composite benchmark score, 0–100
The Measurement Problem

A Click Rate Is Not a Risk Score

Security awareness training platforms give you one number: how many people clicked a link. That tells you almost nothing about your actual exposure to social engineering.

BLIND SPOT

Process Is Never Tested

Phishing simulations ignore whether your verification workflows, escalation procedures, and financial controls actually hold up. A click rate tells you nothing about your wire transfer process.

  • Out-of-band verification never validated
  • No escalation path stress-testing
  • Policy vs. practice delta unmeasured
  • Business process gaps stay hidden
BLIND SPOT

Technology Controls Go Untested

Email click simulations don't tell you whether your SEG, identity stack, or collaboration platform controls can withstand AI-generated attack payloads. Those gaps stay open.

  • DMARC & spoofing resilience unmeasured
  • Teams/Zoom control gaps not assessed
  • MFA bypass risk unknown
  • Entra ID session exposure untested
BLIND SPOT

No Peer Benchmark Exists

A 14% click rate means nothing without context. Is that good for your sector? Better or worse than last quarter? SAT vendors have no real benchmark because they don't conduct offensive research.

  • No industry-normalized comparisons
  • No repeatable year-over-year baseline
  • No board-ready risk quantification
  • No defensible remediation priority
The SEBS solves this.

The Social Engineering Benchmark Score is a composite, weighted metric across People, Process, and Technology — calibrated against real attack data from 13+ enterprise engagements across finance, law, energy, and manufacturing. It's the first number of its kind.

The SEBS Framework

Three Dimensions. One Composite Score.

Every Breacher.ai engagement simultaneously tests all three layers of your human attack surface — and scores each independently before rolling up into your SEBS.

DIMENSION 01

People

Human behavior under real AI-powered attack conditions. Measured by role, seniority, and repeat exposure — not just by whether someone clicked a link.

  • Deepfake video & voice recognition rates
  • Synthetic identity detection accuracy
  • Role-weighted susceptibility scoring
  • Executive and finance team targeting response
  • Calendar invite phishing engagement rates
  • Multi-turn pretext compliance rates
DIMENSION 02

Process

The gap between written policy and real-world behavior under pressure. We stress-test the workflows employees rely on when something goes wrong.

  • Out-of-band verification adherence rates
  • Wire transfer & credential request controls
  • Incident reporting latency benchmarks
  • Escalation path effectiveness scoring
  • Procedure bypass under pretext scenarios
  • OSINT-informed business process gaps
DIMENSION 03

Technology

Your technical controls evaluated against live AI-generated attack payloads — not vendor questionnaires. We find what bypasses your stack in the real world.

  • Email gateway deepfake payload bypass rates
  • Teams / Zoom / Meet control gaps
  • DMARC, DKIM & spoofing resilience scoring
  • Credential harvesting page detection rates
  • MFA bypass susceptibility under pretext
  • Entra ID / Okta session token exposure
Score Methodology

How Your SEBS Is Calculated

The SEBS isn't a survey. It's derived from live attack telemetry — weighted, normalized, and peer-benchmarked across your sector.

Sample SEBS Output — Financial Sector
Composite Social Engineering Benchmark Score · Q1 Assessment
High Risk
People 62 unique attack interactions · 3 roles targeted
74/100
22.9% deepfake click rate 63% above avg · Finance Exec impersonation: high response
Process Wire transfer scenarios · Callback verification testing
58/100
Verification bypassed in 71% of scenarios Avg reporting delay: 4.2 hrs Escalation path: partial
Technology Email gateway · Teams controls · Identity stack
81/100
Calendar payload: bypassed SEG MFA pretext: 2 bypass vectors found DMARC: configured
Composite SEBS Score
Weighted across all three dimensions · Normalized to financial sector peer group
71 /100
High Risk
85–100
Low Risk
Strong posture across all three dimensions. Continued monitoring recommended.
65–84
Moderate Risk
Gaps present. Targeted remediation required in at least one dimension.
45–64
High Risk
Material exposure. Priority remediation and re-assessment recommended within 90 days.
0–44
Critical Risk
Immediate action required. Your organization would not survive a targeted AI attack today.
Assessment Methodology

Four Phases. One Benchmark.

The SEBS isn't self-reported. It's the output of a structured offensive engagement — conducted by practitioners who build and deploy the attacks themselves.

01
PHASE ONE

OSINT Threat Mapping

We build an external intelligence profile of your organization — identifying exposed personnel, org hierarchy, communication patterns, and digital footprints. This establishes your pre-assessment attack surface and informs every simulation that follows.

  • LinkedIn, public records, and data broker harvesting
  • Executive digital footprint analysis
  • Org chart and role exposure mapping
  • Attack surface baseline documented
02
PHASE TWO

AI Attack Simulation

We deploy multi-vector, AI-powered campaigns across your agreed scope — deepfake video calls, voice cloning, calendar invite phishing, and agentic AI email sequences. Every payload is built from your OSINT profile, not a generic template.

  • Real-time deepfake video via Teams / Zoom / Meet
  • Voice-cloned executive vishing calls
  • Agentic AI multi-turn email sequences
  • Calendar invite phishing (3× standard click rate)
03
PHASE THREE

Control & Response Analysis

Every interaction is logged and analyzed: who engaged, who reported, how long detection took, which controls failed, and what processes broke down. We correlate behavioral outcomes against your policy documentation and technical stack configuration.

  • Engagement telemetry across all attack vectors
  • Detection and reporting dwell time measurement
  • Process failure root cause identification
  • Technical control gap documentation
04
PHASE FOUR

SEBS Scoring & Roadmap

Results are normalized into your Social Engineering Benchmark Score — weighted across People, Process, and Technology — with sector peer comparisons, risk-weighted remediation priorities, and a structured roadmap tied to your security maturity goals.

  • Composite SEBS score, 0–100
  • Dimension-level scores with supporting evidence
  • Industry peer group benchmarking
  • Board-ready executive briefing deck
Head-to-Head

SEBS vs. Everything Else

No other security measurement framework tests all three dimensions concurrently under real AI-powered attack conditions.

Measurement Capability
SAT / Click Rate Metrics
Breacher.ai SEBS
Tests People, Process & Technology concurrently
Derived from live AI-powered attack telemetry
Industry peer group benchmarking
~
Validates business process controls under attack
Tests deepfake video & voice cloning vectors
Measures technical control bypass rates
OSINT-informed targeting (not generic templates)
~
Composite risk score, repeatable year-over-year
Board-ready executive reporting
~
Aligns remediation to measured risk, not assumptions
Deliverables

What You Get From Every Assessment

Structured outputs designed for security leaders, CISOs, and board risk committees — not just your SOC team.

DELIVERABLE 01

Composite SEBS Report

Your scored, peer-benchmarked posture across People, Process, and Technology — with sector comparisons, trend lines if repeated, and your overall SEBS score for leadership.

  • SEBS composite score with dimension breakdown
  • Sector peer group percentile ranking
  • Year-over-year delta tracking (repeated clients)
  • Risk severity classification per dimension
DELIVERABLE 02

Technical Findings Annex

Detailed evidence logs, engagement timelines, attack payload samples, and control failure documentation for your SOC and security engineering teams.

  • Full attack telemetry and interaction logs
  • Technical control gap evidence
  • Attack payload samples and bypass documentation
  • Detection and dwell time data
DELIVERABLE 03

Risk-Weighted Roadmap

Prioritized recommendations across People training, Process redesign, and Technology hardening — sequenced by measured risk impact, not arbitrary severity ratings.

  • Prioritized remediation by dimension
  • Quick wins vs. strategic investments
  • Compliance framework alignment mapping
  • Re-assessment milestone recommendations
What Leaders Are Saying

Security Leaders Who've Seen Their Score

"

I think the entire company is already talking about voice cloning and the risks. It's been a huge win for us already, without even seeing any of the actual results.

CISO · Large Bank
"

I was expecting a demo, not an episode of Black Mirror. This is really good, I'm surprised at how advanced it's gotten.

CEO · Cybersecurity Company
"

Users were surprised with how good the deepfakes were. I'm really impressed. Really crazy talking to a deepfake.

IT Manager · Financial Services, UK

SEBS Assessments Completed Across

Fortune 500
Banking & Finance
Energy Sector
Legal Services
Transportation
G2
★★★★★
5.0 Rating
Gartner
★★★★★
Peer Insights

Find Out Your SEBS Score

In 30 days, you'll know exactly where your organization stands — People, Process, and Technology — against real-world AI-powered social engineering attacks.

Composite SEBS score delivered
No IT integration required
Fully managed assessment
Request Your Assessment