Hack your company before someone else does

A company conducted an unrestricted red team and social engineering exercise to evaluate its security measures against a determined third-party attack without rules of engagement. The exercise involved hiring hackers who executed a sophisticated phishing scheme that targeted employees using a cleverly disguised URL and leveraged the company's own identity provider. Despite the initial breach, the use of Obsidian Security allowed the security team to monitor and respond swiftly, resetting credentials and eradicating malicious activities. The exercise revealed vulnerabilities, demonstrated the effectiveness of the security team's rapid response, and underscored the importance of continuous testing and improvement of security protocols. Notably, employees quickly reported phishing emails, and the incident highlighted the necessity of resetting sessions across all applications and considering biometrics for sensitive apps. The experience emphasized the value of such exercises in identifying weaknesses and improving security strategies.