Tangible Announcements


6700 Alexander Bell Drive, Suite 200
Columbia, MD 21046-2100 See Map

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Phone: 800-913-9901
Fax: 703-288-1226


2010 Corporate Ridge, Suite 250
McLean, VA 22102 See Map

2500 Regency Pkwy
Cary, NC 27518 See Map

How May We Help You?


Our interactive employee security awareness training has reduced user phish-click rates by 91.9% (see below) and changed users from weak links to attack sensors.

Hackers Target Employees with Phishing Emails to Penetrate your Enterprise

Pervasive Phishing Attack Pattern

user clicks phishing email

"This looks interesting!"

executive contemplate data breach impact

"What will this breach cost us?"

phishing attack pattern click on phish malware installed credentials stolen lateral movement enterprise owned

The phishing attack pattern ultimately drives the majority of cybersecurity and remediation spending for most organizations.

From the Verizon 2015 Data Breach Investigation Report

Percentage of the 2122 Breaches included Phishing

Percentage of Phishing Incidents detected by Antivirus

Percentage of Phishing Incidents detected by Outsiders

Bottom Line: Training Users to Handle Phishing Attacks Slashes Costs

Interactive Training with Regular Phishing Tests & Reporting Yields Tangible Results

92 percent phish click rate reduction

Based on Results from over 300,000 users!

Our Solution: Employee Security Awareness Training


methodology for employee security awareness training

How it Works

This one year program can either be fully outsourced where its administered by our specialists, or client's can login to the portal to administer the tests and reporting themselves. Similarly, users can access training materials via our portal or client’s can import and run content with their existing Learning Management System.

Each burst of phishing emails is considered a campaign, typically executed weekly or monthly. Campaigns employ email and landing page templates from our library that resemble what cyber criminals use. Clients can customize the templates. Customization is mandatory for spear phishing tests.

Reporting on training and test results is automated. Numerous templates slice and dice this information in varied ways to appeal to different audiences. Automated reports tend to be monthly, coinciding with phishing campaigns. Clients can generate additional, customized reports.

Hackers and other criminals primarily target an organization’s personnel for phishing attacks. We offer additional training modules that help clients mitigate risks via other attack vectors. As with phishing, our system automates enrollment, reminders, tracking, and reporting.


We help transform your employees from unwitting targets to human firewalls. They become obstacles to hackers rather than conduits. The initial testing, training, and ongoing testing combine to not only elevate your users’ preparedness but sustain and institutionalize it.
Security maturity and cyber readiness requires excellence in people, policy, processes, procedures, and technology. Executives find this program helps them affect the cultural change necessary among personnel. This lowers operations costs and barriers to further improvements in policy, process, and technology.
And, the success pervasively perceived by employees increases their willingness and motivation to hone training in other cybersecurity areas.

Robust Employee Phishing Testing


  • Customizable library of successful phishing templates
  • Clients can create/customize templates
  • Customizable landing pages
  • Targeted spear phishing campaigns with personalized data


  • Ongoing, year-round testing
  • Scheduled testing campaigns
  • (optional) Randomized campaigns with randomized templates
  • (optional) Skip weekends
  • (optional) More frequent testing for phished users

Test Responses

  • Email link clicks
  • Links clicked on landing pages
  • Data entered into landing pages
  • Opened MS Office or PDF attachments

Related Extras

  • Phishing Attack Surface: what employee emails are published on Internet (included)
  • Voice-phishing attacks (separate charge)
  • Domain spoof test (one-time)
  • Capture user compliance “Read and Attest” affirmations

Phishing Training
and Reporting

More User Training

Phishing Training

  • On-demand, browser based training
  • Auto-enrollment and follow-up emails for users
  • Point-of-failure training auto-enrollment
  • Available as SaaS (fully or self-managed) or can be run from client’s Learning Management System

Reports: Phishing Testing & Training

  • Automated reports to client following each phishing campaign
  • Filter/sort results by campaign date/time, campaign user-response (opened, link-click, attachment-open), email bounce, and more
  • Trends and user group comparisons
  • Top 50 and Individual user reports
  • Open and click history/rates by Browser/device
  • Who started, completed, never finished training

Mitigate Other People Risk Vectors

  • Training APT/Ransomware
  • Basics of Credit Card Security
  • Handling Sensitive Information Securely
  • Top 50 and Individual user reports
  • Mobile Device Security
  • Strong Passwords

Cyber criminals target software-based products. Our ethical hackers can help you identify and mitigate these risks.

Ethical hackers from Tangible Security determine what harm can be done to your business interests when cyber criminals, hacktivists, and/or nation-state actors target your new or existing product. We provide you a prioritized, detailed findings report with recommendations.

Why You Need Secure Product Testing

Security through obscurity is a fading memory for product-makers as ever more hackers turn their attention to software based products and devices. The number of product hackers is swelling because the Internet literally provides online training for all levels of expertise.
Frequent bulletins and headlines regarding the vulnerabilities and breaches of other vendor products are troubling reminders.
You can reduce these risks by hiring independent, expert, ethical hackers, whether you have products already deployed or new ones soon to launch. We can give you the insight and assistance you need to assess and mitigate your risks, and ultimately to sleep better.

Frequently Found Security Holes

  •    Spoofable software updates
  •    Identity and privilege flaws
  •    Accessible, unencrypted binaries
  •    Hidden tools hackers can run
  •    Concealed physical ports with root access
  •    Logging unnecessarily capturing sensitive data
  •    Missing data input validation
  •    Unpatched libraries and components
  •    Unnecessary services running

How Secure Product Testing Benefits You

Have you ever found yourself unable to find typos and other mistakes in a document that you have been working on for many iterations? Have you noticed that some people are far better at proof reading your documents than others?
Finding security holes in products likewise benefits from fresh eyes and people with a hard-to-find talent. These ethical hackers think differently from developers. But like most skill-positions, talent, training, and experience matters. If you want someone to find the security holes that the best of your adversaries would find, then you need to hire ethical hackers at least as good as they are.
Tangible Security literally wrote the book on ethical hacking. Everyday, our engineers distinguish themselves from the ordinary by helping our customers find and fix security holes in their products before the bad guys do. Our engineering team members have served on classified government projects and presented their research and practices at major cyber security industry events.

How Secure Product Testing Works for You

After initially defining the scope and nature of the project, our engineers review your product documentation and/or meet with your developers. Sometimes we need to revise project plans after becoming more familiar with your product.
The better we understand the intent, function, and eco-system of the product, the more thoroughly we can search for security holes. Product assessments typically last between one and four weeks.
Our findings reports are prioritized, structured, and detailed. We will assist your engineers with recreating and remediating the findings.

Secure Development Lifecycle (SDLC); Baking security into a product is over ten times cheaper than patching vulnerabilities later.

We help customers reduce total lifecycle costs for their software-based products in two ways:

  • Help implement a more effective, security-focused software development program
  • Provide specialized services that help root-out security holes during development


Why You Need SDLC Services

Software and software-based device vendors can no longer limit their focus to only the customer and the market. They must contend with cyber adversaries, those that would take advantage of flaws in products to reap financial or political benefits at the expense of the vendors and their customers.
University software engineering instructors have told students for over a decade that reacting to security vulnerabilities after software-based products are deployed costs vendors over ten times more than developing such products via security best practices from the beginning. The theory is simple, but defining and successfully making the transition in any organization is tough.
Adding and modifying development processes is only part of the challenge, however. Individuals require training, new practices often need templates and tools, and some security tasks require skillsets that are not available in-house. And, ever more ‘experts’ recommend independent reviews and analyses, if only for their fresh eyes, but also for their relative objectivity.

How SDLC Services Benefit You

Our engineers have been applying security-focused software development practices themselves. Many of their software products have been operating continuously on thousands of mission critical computing assets in the defense and intelligence communities for many years. They had to successfully navigate the most rigorous cybersecurity gauntlets imaginable.
Additionally, some of these software engineers as well as our penetration testing engineers have been using the same methods and tactics as those of cyber criminals to help other software vendors discover and plug security holes in their products.
Collectively, their experiences and methods enable your organization to successfully transition to a security-focused software development machine that realizes the promises of those university instructors because of the knowledge, skills, and practices that transfers from our engineers to yours. Further, our engineers can become a tangible part of your team, providing virtual, on-demand services, reviewing threat models, analyzing software binaries from suppliers, or providing a fresh set of eyes on source code.

How SDLC Services Work for You

A development program transition begins with our interviewing some of your personnel to facilitate a gap assessment that compares your program “as is” with an industry best practices framework. Next, we formulate a project plan to refine and execute a roadmap with deliverables that transitions your program to what you wish it “to be”. Depending on the size and structure of your organization, we might start with only part of it, and after it has measurably achieved its goals, do the same for the rest of the organization.

We can help you with:

  •    Security best practices training (OWASP, RMF, COSO, COBIT, ISO 7200x)
  •    Formulating pragmatic security requirements
  •    Identifying, explaining, and mitigating threat vectors
  •    Unit/functional/system security testing practices
  •    Independent security-based code reviews
  •    3rd party code vetting, patching, and monitoring
  •    Platform security hardening
  •    Adversarial penetration testing
  •    Rolling out a formal vulnerability handling policy

Professional ethical hackers train and conduct “War Games” with clients as a two to three day program to improve cyber readiness.

To improve your organization’s effectiveness at responding to high-risk cyber incidents, our ethical enterprise hackers:
  • Provide your personnel training, including scenario-specific table-top exercises
  • Conduct live exercises with them to practice what they were taught with the tools they have
  • Assess the strengths and weaknesses of their war game performance

Table-top exercises help connect-the-dots among: technology, policy, and process

Why You Need Threat Emulation

Military organizations have long conducted war games to educate and hone the skills of their soldiers, to improve the organization’s overall military preparedness. Military experts do not argue whether exercises should be conducted but how many should they run, for what scenarios, with what constraints.

The need for cyber war games for the enterprise is far greater. The enterprise can be attacked on any given day, again and again, with absolutely no warning. It is the unknown security holes that executives should fear most. The known ones can be fixed before hackers use them.

These war games help expose:
  • Flaws in your security policies and practices
  • Misunderstandings amongst your personnel as to their individual roles and procedures
  • Under-appreciated inter-dependencies among personnel/roles
  • Misconfigurations of tools that permit something that ought to be blocked or fail to capture data vital to responding effectively

Threat Emulation Scenarios

  •    Targeted malware attack
  •    Compromised email system
  •    Critical denial of service
  •    Lateral intruder movement
  •    Domain controller breach
  •    Mass data exfiltration
  •    Customer database leak
  •    Business partner hacked
  •    3rd party breach notification

How Threat Emulation Benefits You

For each of the covered scenarios, your personnel learn best practices that they must execute when cyber adversaries strike. The live war game exercises help them better understand these practices. More importantly, through exercises and the post-war game discussions with our experts, your personnel gain insight into how to institutionalize the lessons learned.
Enterprise executives get meaningful insight into the readiness of their organization to withstand the kind of cyber attack scenarios that have been harming organizations like theirs. If shortcomings are discovered, executives learn what they are, their significance, and potential next-steps for addressing them. After these next steps are completed, your organization is stronger.
And if ever asked about what you did to protect your customers from reasonably foreseeable risks, Threat Emulation enables you to assert that you went far beyond paper exercises to improve your organization’s security posture.

How Threat Emulation Works for You

Typical projects run two to three days, depending upon the scenarios covered. Customers can choose to cover different scenarios at different times, and for different personnel groups. Scenario training precedes war games. In selecting scenarios to cover, we help you identify the kinds of personnel to schedule into the project.
Threat emulation consists of specialized penetration tests whereby an ethical hacker emulates your adversaries by executing the same methods and tactics, but in a manner that does no harm. For example, the mass data exfiltration scenario employs fake data.
Threat Emulation projects wrap up with discussions between one or more of our ethical hackers and your personnel involved in the war games. They share their observations and lessons learned. Later, Tangible Security provides a report on the prioritized findings and recommended next-steps.
{loadmodule mod_inlinecustom,Custom Inline HTML}