Cimento is headed to Black Hat USA — catch us in Vegas, Aug 1–6

Black Hat USA 2026 · Aug 1–6

Book a Meeting →

Book a Meeting →

Runs Alongside Your Current Program

See what your security awareness program is missing.

Most programs can prove training happened. Fewer can prove risk went down.

Most programs can prove training happened. Fewer can prove risk went down.

Most programs can prove training happened. Fewer can prove risk went down.

Cimento’s Human Risk Baseline gives your security team a role-based view of employee exposure, behavior, and resilience across modern social engineering channels — in 14 days.

NO RIP-AND-REPLACE. NO EMPLOYEE SHAMING.

What You Get

What lands on day 14.

01

Role-Based Human Risk Score

Risk modeled per role and cohort, weighted by behavior and by the access attackers actually care about.

02

Multi-Channel Exposure Assessment

How your people respond to email, SMS, voice, and AI-enabled impersonation — the channels most legacy programs never test.

03

Reporting & Resilience Gaps

Who reports suspicious activity, how fast, and where reports go to die. Reporting speed is scored as its own risk signal.

04

Current-Program Comparison

What your existing SAT metrics say versus what the baseline found — so you can see the gap between completion rates and actual risk.

05

Admin-Time & Compliance Readiness

How much manual campaign work your current program requires, and where you stand on SOC 2, ISO 27001, HIPAA, PCI, and insurance requirements.

06

Board-Ready Summary + Remediation Plan

A one-page risk trend your leadership will understand, plus a prioritized plan for what to fix first and why.

How It Works

Fourteen days, four steps.

Days 1–2

Connect

Link identity and HRIS data, approve simulation scope and channels, allowlist sending infrastructure. Under an hour of your team’s time.

Days 3–11

Simulate

Cimento runs scoped, realistic scenarios across email, SMS, voice, and AI-enabled impersonation — adapted to role and seniority.

Days 3–11

Measure

Every interaction feeds the risk model: exposure, behavior, reporting speed, and resilience — not just clicks.

Days 12–14

Debrief

You get the full report and a working session with our team: findings, blind spots, and a remediation plan you can run with any vendor.

What It Measures

Exposure. Behavior. Resilience.

Clicks are a signal. They are not the whole risk model.

Clicks are a signal. They are not the whole risk model.

Legacy programs measure two things: who finished training and who clicked a simulated email. The baseline measures what a modern attacker would actually probe:

Exposure — who has access, privileges, and public footprint that attackers target first.

Behavior — how people actually respond to realistic multi-channel pressure, by role.

Resilience — whether threats get reported, how fast, and whether the org recovers.

Human Risk Baseline · Sample

Day 14

61/100

61/100

Org Risk Index

▲ High-access roles trend elevated

Finance · vishing exposure 82

Engineering · AI phishing 64

All staff · reporting rate 31

Email

SMS

Voice

AI-Impers.

Exec

Med

High

Crit

High

Finance

Med

High

High

Med

All staff

Low

Med

Med

Low

Illustrative sample. Your report reflects your org, roles, and approved scope.

Why Now

Run it before you renew.

A renewal is the one moment you have leverage. The baseline gives you the evidence to use it — whichever way the decision goes.

If your program is working

You renew with independent proof that risk is trending down — and a board slide to show for it.

If there are gaps

You walk into the renewal conversation knowing exactly what’s missing: channels untested, roles unmeasured, reports uncounted.

Either way

The remediation plan is yours to keep and works with any vendor. No obligation to switch.

FAQ

Common questions.

Do we have to replace our current platform to run a baseline?

How much work is required from our security team?

Which channels does the baseline test?

Will employees be punished or embarrassed?

Does the baseline satisfy compliance training requirements?

What do we get at the end of 14 days?

Get Started

Run your baseline.

Tell us where to send the scoping details. Most teams are live within two business days.

14 days, alongside your current program

<1 hour of setup from your team

Board-ready report and remediation plan, yours to keep

Get Started

See It Live

Explore how modern phishing simulations and real-time human risk insights can strengthen your security posture. Let’s talk.

Get Started

See It Live

Explore how modern phishing simulations and real-time human risk insights can strengthen your security posture. Let’s talk.

Get Started

See It Live

Explore how modern phishing simulations and real-time human risk insights can strengthen your security posture. Let’s talk.

Get Started

See It Live

Explore how modern phishing simulations and real-time human risk insights can strengthen your security posture. Let’s talk.