Cimento is headed to Black Hat USA — catch us in Vegas, Aug 1–6

Black Hat USA 2026 · Aug 1–6

Book a Meeting →

Book a Meeting →

Home / Topics / Vishing Simulation

Channel Brief

Vishing simulation.

Your employees have been trained on suspicious emails for a decade. Then the phone rings.

Your employees have been trained on suspicious emails for a decade. Then the phone rings.

Your employees have been trained on suspicious emails for a decade. Then the phone rings.

Vishing — voice phishing — is behind some of the most damaging breaches of the past few years: help desks talked into MFA resets, finance teams talked into wires, employees talked into credentials. Almost none of those organizations had ever simulated a phone call.

The Problem

Voice is the untested channel.

01

Real-time pressure

Email gives people time to think and a button to report. A live call removes both — social pressure, authority cues, and urgency operate in real time.

02

AI voice cloning

A few seconds of public audio — an earnings call, a conference talk — is enough to synthesize a credible executive voice asking for something urgent.

03

The help desk gap

IT support exists to be helpful and has reset privileges. That combination is exactly what attackers exploit, and it’s rarely tested.

Why Legacy Training Struggles

Email platforms simulate email.

Legacy SAT platforms were architected around SMTP. Voice simulation requires telephony infrastructure, conversational AI, consent and scoping controls, and scoring for interactive dialogue — none of which retrofit cleanly onto a template mailer. So the channel with the highest-pressure attacks gets a slideshow about “being careful on the phone.”

What Modern Looks Like

Safe, scoped, realistic voice testing.

Role-plausible pretexts

Finance gets a vendor payment change. The help desk gets an urgent MFA reset. Executives’ assistants get the traveling-CEO call. Plausibility is what makes the measurement real.

Explicit scope & consent

Which roles, which pretexts, which hours, which escalation limits — approved in writing before any call is placed. No entrapment, no recordings kept beyond scoring.

A debrief in seconds

Whether the employee complies or resists, the debrief is short, private, and specific: what the pressure cue was, and what the escape hatch is (verify via a known channel).

Cimento's Approach

Voice is a first-class channel.

Cimento runs AI-driven vishing scenarios inside your approved scope, scores outcomes into the same role-based risk model as email and SMS, and coaches in the moment. Your risk report finally covers the channel your incidents come from.

AI conversational callers with role-adapted pretexts

Help-desk and finance scenario packs

Executive impersonation testing, scoped and consented

Unified scoring with email and SMS results

FAQ

Is simulated vishing legal and ethical?

Won't employees feel tricked?

How often should we run vishing simulations?

Find out what happens when the phone rings.

The 14-day Human Risk Baseline includes scoped voice scenarios — often the finding that changes the renewal conversation.

Get Started

See It Live

Explore how modern phishing simulations and real-time human risk insights can strengthen your security posture. Let’s talk.

Get Started

See It Live

Explore how modern phishing simulations and real-time human risk insights can strengthen your security posture. Let’s talk.

Get Started

See It Live

Explore how modern phishing simulations and real-time human risk insights can strengthen your security posture. Let’s talk.

Get Started

See It Live

Explore how modern phishing simulations and real-time human risk insights can strengthen your security posture. Let’s talk.