Email filters can't stop a deepfake of your CFO walking into a Teams meeting — with their exact face and voice — demanding an urgent payment. Train your team before the real attackers exploit this.
See PricingLegacy phishing platforms only test email. But attackers have moved on — they're cloning voices from 3 seconds of audio and faces from a single LinkedIn photo. Your team will face this. Train them now.
We offer both asynchronous campaigns (scalable, lower cost) and live red-team exercises (high-impact, targeted).
Your team receives a simulated Teams/Zoom invite from "the CEO" via email or chat. Clicking it lands on a realistic meeting page where a pre-recorded deepfake avatar delivers urgent instructions — asking them to approve a payment or share data. Those who comply receive instant micro-training. Scalable across hundreds of users. Best for broad awareness campaigns.
A premium, high-stakes simulation aimed at finance teams, EAs, and executives. Using real-time face-swap and voice-cloning AI, a deepfake "executive" joins a live Teams or Zoom call and issues urgent instructions under pressure. Tests whether your team follows protocol or folds under social engineering. Best for testing your verification framework against the most dangerous attack vector.
From one-off executive simulations to ongoing monthly awareness programmes.
All campaigns require written executive consent before biometric assets are created. See Legal & Compliance below.
AI video glitches — lip-sync lag, freezing, skin artefacts — are being patched out in weeks, not years. Counting on employees to "spot the fake" visually is already obsolete. What actually works: a hard-coded, out-of-band verification rule that no amount of AI realism can bypass.
Whenever an executive makes an unexpected, urgent financial request — on any medium (call, video, email, chat) — the employee must verify through a pre-agreed secondary channel. Call a known mobile number. Send a separate Slack DM. Use a codeword. Never verify through the same channel the request arrived on.
We don't just run the simulation and hand you a report. We deliver a written verification protocol tailored to your company's communication stack. Then we test it — live — against a deepfake. If your team follows the protocol, they pass. If they don't, we know exactly where the gap is.
PowerPoint slides create awareness. Live simulations create behaviour. When an employee has actually been on a call with a deepfake of their boss — and learned to reach for their phone to verify — that lesson sticks permanently. This is muscle memory, not a compliance checkbox.
Voice and facial prints are Special Category Data under UK GDPR. Here's exactly how we handle it — and what you need to know before engaging any deepfake simulation provider.
We require written, informed consent from the specific executive whose likeness is being cloned — before any biometric data is captured or processed. This is not a blanket corporate sign-off. The executive must understand exactly how their voice and face will be used, for how long, and their absolute right to withdraw consent at any point (including mid-campaign).
Our AI platform vendors provide a strict DPA verifying that: (a) the executive's biometric data is never used to train public datasets, (b) no permanent database of the executive's likeness is retained, and (c) all generated assets — raw recordings, cloned models, rendered video — are securely destroyed upon campaign completion. We provide this DPA to you before any work begins.
Processing Special Category Data using new technology (AI face/voice cloning) triggers a mandatory DPIA under UK GDPR Article 35. We provide a template DPIA covering: the lawful basis (explicit consent under Article 9(2)(a) + legitimate interests), the necessity and proportionality of processing, the risks to the executive's rights, and the mitigation measures in place. We recommend your DPO reviews and signs off before campaign launch.
We operate on a strict, contractually-defined timeline: raw biometric source material (voice samples, reference video) is deleted within 24 hours of campaign completion. Generated deepfake assets (rendered video, cloned voice models) are destroyed within 7 days. Campaign audit logs (who clicked, timestamps, results — no biometric content) are retained for 12 months for dispute resolution and compliance evidence.
Unlike standard personal data — where the right to erasure can be balanced against legitimate interests — biometric data erasure is near-absolute. The executive can withdraw consent at any point during the campaign. We commit to full deletion of all biometric assets within 48 hours of receiving that withdrawal. This is contractually guaranteed and verified with a deletion certificate.
If our AI processing vendor operates outside the UK (most do), we ensure a UK International Data Transfer Agreement (IDTA) or an adequacy decision is in place before any biometric data leaves the UK. We verify this during vendor onboarding and provide the transfer impact assessment as part of your compliance pack. No data moves without a lawful transfer mechanism.
What clients ask before running their first deepfake simulation.
Yes — with the correct safeguards. We operate under explicit consent (Article 9(2)(a) UK GDPR), a mandatory DPIA, a strict DPA with our platform vendors, and full biometric asset destruction post-campaign. The key requirement is that the executive whose likeness is cloned must give informed, written consent — we handle this as part of onboarding.
The campaign stops immediately. All biometric assets — raw samples, cloned models, rendered video — are destroyed within 48 hours. We provide a deletion certificate. No questions asked, no delay. This right is absolute and contractually guaranteed.
Never. Our DPA with platform vendors explicitly prohibits using client biometric data for model training, dataset building, or any purpose beyond the specific simulation campaign. The data is processed in an isolated environment and destroyed afterwards.
We partner with platforms including Hoxhunt, Gordon Phishing (async link-based simulations), and Breacher.ai / Callstrikes (live-join red team exercises). All vendors are vetted for UK GDPR compliance and provide the required DPA before onboarding. We select the best platform for your specific simulation objectives.
Standard phishing tests email — links, attachments, credential harvesting. Deepfake simulation tests behaviour under social pressure from a known authority figure. It's the difference between testing whether someone clicks a link and testing whether they transfer £50,000 because their "boss" asked them to on a video call. Different threat model, different psychology, different defence.
They learn a single, hard-coded behaviour: verify unexpected urgent financial requests through a secondary channel, always, no exceptions. Not "look for glitches" — that approach is already obsolete. Our training builds an automatic verification reflex that works regardless of how realistic AI becomes in the future.
If you're processing biometric data (even via a third party), you almost certainly need to register with the ICO and list biometric data processing in your data protection fee registration. We recommend checking your current registration covers Special Category Data. If it doesn't, we can guide you through updating it — it's a quick process.
Most executives are confident their team wouldn't fall for it. Most are wrong. Book a confidential discovery call — we'll walk you through exactly how a deepfake simulation works, what it reveals, and how to build a verification protocol that actually protects your business. No obligation.
Book a Discovery Call