Phishing Simulation Testing: How Many of Your Team Would Fail Right Now?
Lupasafe runs realistic phishing simulations — email phishing, QR code attacks and fake login pages (credential harvest). Employees who click receive immediate remediation training. Every result feeds into your NIS2 compliance dashboard automatically.
Trusted by 600+ organisations • Gartner Peer Insights ★★★★★ 5.0
Trusted by 600+ organisations
★★★★★5.0
Horizon 2020What is phishing simulation testing?
Phishing simulation testing sends realistic but harmless phishing emails to your employees to measure how they respond. Employees who click a link or enter credentials receive immediate training — turning a mistake into a learning moment.
Lupasafe supports email phishing, QR code phishing and fake login pages (credential harvest). Every interaction is tracked, scored and reported — giving you a clear picture of your human risk and the evidence auditors need for NIS2 compliance.
Three attack types, one platform
Real attackers use multiple vectors. Your simulations should too.
Email phishing
Realistic emails mimicking common scenarios: invoice requests, password resets, delivery notifications. Tracks opens, clicks and data entry.
QR code phishing
QR-based attacks are rising rapidly. Test whether employees scan unknown QR codes and follow through to fake landing pages.
Credential harvest
The most dangerous scenario: employees enter their actual credentials on a fake login page. Lupasafe captures the attempt (never the password) and triggers immediate training.
“Within 10 days we were more secure.”
Marc Paus
CISO, Mobile World Congress
All phishing results in one dashboard
Track click rates, credential entries and training completion per employee, department and campaign. Export compliance reports with one click.
Every campaign result feeds into your compliance dashboard. Track click rates, credential submissions and training completion over time. One source of truth.
How it works
From sign-up to your first phishing campaign in three steps.
Import your users
Sync with Microsoft Entra ID, Google Workspace or import via CSV. Whitelist Lupasafe in your mail gateway to ensure delivery.
Launch your first campaign
Choose from pre-built templates or create your own. Schedule email phishing, QR code attacks or fake login pages (credential harvest). Lupasafe randomises send times to avoid detection.
Remediate and report
Employees who click receive instant training. Track click rate trends over time. All results feed into your NIS2 compliance dashboard — with exportable evidence for auditors.
Three pillars that feed your compliance dashboard
Every module delivers immediate insight. All results flow automatically into your NIS2 reporting.
People
Know who is vulnerable — and make them more resilient.
40% of employees enter credentials at the first phishing test. Continuous training and testing reduces it measurably over time.
- Phishing simulations — email, QR code, credential harvest
- E-learning — role-specific, NIS2 functions, annual planning
- Dark web monitoring — 20 billion+ leaked records
You are here
Technology
Discover vulnerabilities before an attacker does.
Your attack surface changes continuously. Lupasafe scans your domains, endpoints, network and cloud — automatically, weekly.
- Endpoint compliance — Windows, macOS, Linux, CVE matching
- Microsoft 365 audit — Secure Score, MFA status
- Domain scanning — ports, SSL, security headers
- DMARC — prevent email spoofing
Compliance
Prove you comply — without spreadsheets.
All scan and training results flow automatically into your NIS2 compliance dashboard. Cyber Fundamental controls, ISO 27001 and Cyber Essentials — in one place.
- NIS2 — Cyber Fundamental controls with evidence
- ISO 27001 — Annex A mapping
- Cyber Essentials — baseline standard
- Policy documents — BCP, backup, remote work
Phishing simulation and NIS2 compliance
The NIS2 Directive requires organisations to train employees on cybersecurity threats and test their resilience. Phishing simulations provide measurable evidence that your organisation actively reduces human risk — a core requirement of the duty of care.
Lupasafe generates automatic compliance reports showing campaign results, click rate trends and remediation actions. Share these reports with your auditor or management — directly from the platform.
Find out how your team responds to phishing
Start a free 30-day evaluation. Launch your first phishing simulation and get a baseline of your human risk within a week.
Trusted by 600+ organisations
Frequently asked questions
What types of phishing simulations does Lupasafe support?
Lupasafe supports three types: email phishing (realistic emails with tracked links), QR code phishing (testing whether employees scan unknown codes) and credential harvest (fake login pages that capture the attempt without storing actual passwords). All three types include immediate remediation training.
Will employees know it is a test?
No. Simulations are designed to be realistic. Send times are randomised and templates mimic real-world scenarios. After an employee interacts with a simulation, they receive a training moment explaining what happened and how to recognise similar attacks in future.
How does phishing testing help with NIS2 compliance?
The NIS2 Directive requires organisations to train employees on cybersecurity threats. Phishing simulations provide measurable evidence of your awareness programme: click rates, improvement trends and remediation actions. Lupasafe maps these results to the relevant Cyber Fundamental controls automatically.
What results can I expect?
On average, 40% of employees enter credentials at the first phishing test. With continuous simulation and training, organisations typically see an 86% reduction in click rates within 12 months. Lupasafe platform data, based on 600+ organisations.
Read more
Security Awareness Training
Combine phishing simulations with e-learning for a complete awareness programme.
Read more →
Dark Web Monitoring
Find out if your employees' credentials are already exposed on the dark web.
Read more →
Domain Scanning
Scan your domains and IP addresses for vulnerabilities with CVE, CVSS and EPSS scoring.
Read more →
