Runs Alongside Your Current Program
See what your security awareness program is missing.
Cimento’s Human Risk Baseline gives your security team a role-based view of employee exposure, behavior, and resilience across modern social engineering channels — in 14 days.
NO RIP-AND-REPLACE. NO EMPLOYEE SHAMING.
What You Get
What lands on day 14.
01
Role-Based Human Risk Score
Risk modeled per role and cohort, weighted by behavior and by the access attackers actually care about.
02
Multi-Channel Exposure Assessment
How your people respond to email, SMS, voice, and AI-enabled impersonation — the channels most legacy programs never test.
03
Reporting & Resilience Gaps
Who reports suspicious activity, how fast, and where reports go to die. Reporting speed is scored as its own risk signal.
04
Current-Program Comparison
What your existing SAT metrics say versus what the baseline found — so you can see the gap between completion rates and actual risk.
05
Admin-Time & Compliance Readiness
How much manual campaign work your current program requires, and where you stand on SOC 2, ISO 27001, HIPAA, PCI, and insurance requirements.
06
Board-Ready Summary + Remediation Plan
A one-page risk trend your leadership will understand, plus a prioritized plan for what to fix first and why.
How It Works
Fourteen days, four steps.
Days 1–2
Connect
Link identity and HRIS data, approve simulation scope and channels, allowlist sending infrastructure. Under an hour of your team’s time.
Days 3–11
Simulate
Cimento runs scoped, realistic scenarios across email, SMS, voice, and AI-enabled impersonation — adapted to role and seniority.
Days 3–11
Measure
Every interaction feeds the risk model: exposure, behavior, reporting speed, and resilience — not just clicks.
Days 12–14
Debrief
You get the full report and a working session with our team: findings, blind spots, and a remediation plan you can run with any vendor.
What It Measures
Exposure. Behavior. Resilience.
Legacy programs measure two things: who finished training and who clicked a simulated email. The baseline measures what a modern attacker would actually probe:
Exposure — who has access, privileges, and public footprint that attackers target first.
Behavior — how people actually respond to realistic multi-channel pressure, by role.
Resilience — whether threats get reported, how fast, and whether the org recovers.
Human Risk Baseline · Sample
Day 14
Org Risk Index
▲ High-access roles trend elevated
Finance · vishing exposure 82
Engineering · AI phishing 64
All staff · reporting rate 31
SMS
Voice
AI-Impers.
Exec
Med
High
Crit
High
Finance
Med
High
High
Med
All staff
Low
Med
Med
Low
Illustrative sample. Your report reflects your org, roles, and approved scope.
Why Now
Run it before you renew.
A renewal is the one moment you have leverage. The baseline gives you the evidence to use it — whichever way the decision goes.
If your program is working
You renew with independent proof that risk is trending down — and a board slide to show for it.
If there are gaps
You walk into the renewal conversation knowing exactly what’s missing: channels untested, roles unmeasured, reports uncounted.
Either way
The remediation plan is yours to keep and works with any vendor. No obligation to switch.
FAQ
Common questions.
Do we have to replace our current platform to run a baseline?
How much work is required from our security team?
Which channels does the baseline test?
Will employees be punished or embarrassed?
Does the baseline satisfy compliance training requirements?
What do we get at the end of 14 days?
Get Started
Run your baseline.
Tell us where to send the scoping details. Most teams are live within two business days.
14 days, alongside your current program
<1 hour of setup from your team
Board-ready report and remediation plan, yours to keep