A company delivered mandatory security-awareness training to all employees last quarter. During the current penetration test, the statement of work instructs the tester to validate whether that training decreased the workforce's susceptibility to social-engineering attacks while avoiding any disruption of production systems. Which of the following test activities BEST satisfies this requirement?
Perform an unauthenticated vulnerability scan against internal network segments during business hours.
Send a spear-phishing campaign that captures click and submission metrics but routes employees to a benign notification page.
Attempt to exploit newly disclosed CVEs on the public-facing web application to obtain shell access.
Use harvested credential pairs to conduct password-spray attacks against the corporate cloud tenant.
Sending carefully crafted phishing emails that mimic real attacks but redirect clicks to a harmless landing page records who interacts with the messages without affecting production systems. The resulting click-through rate directly indicates whether employees apply the lessons from recent awareness training. Vulnerability scans, web-application exploits, and credential-stuffing attacks may be useful for other objectives, but they do not measure the human element targeted by social engineering and can introduce operational risk.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is phishing?
Open an interactive chat with Bash
Why are phishing simulations important in cybersecurity training?