How Solid is Your Security?

Know for Certain
with Tangible Security

Cyber Assessments | Product Security | Consulting

Learn More

Get Our Weekly Newsletter for Top 10 Cybersecurity Trends & News Stories Subscribe >


6700 Alexander Bell Drive, Suite 200
Columbia, MD 21046-2100 See Map

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Phone: 800-913-9901
Fax: 703-288-1226


2010 Corporate Ridge, Suite 250
McLean, VA 22102 See Map

2500 Regency Pkwy
Cary, NC 27518 See Map

How May We Help You?


Our security awareness training has reduced user phish-click rates by 91.9% and changed users from weak links to attack sensors.

Hackers Target Employees with Phishing Emails to Penetrate your Enterprise

Pervasive Phishing Attack Pattern

phishing attack pattern click on phish malware installed credentials stolen lateral movement enterprise owned
phishing attack pattern click on phish malware installed credentials stolen lateral movement enterprise owned
phishing attack pattern click on phish malware installed credentials stolen lateral movement enterprise owned
phishing attack pattern click on phish malware installed credentials stolen lateral movement enterprise owned
phishing attack pattern click on phish malware installed credentials stolen lateral movement enterprise owned

The phishing attack pattern ultimately drives the majority of cybersecurity and remediation spending for most organizations.

From the Verizon Data Breach Investigation Report

Percentage of Breaches included Phishing


Percentage of Phishing Incidents detected by Antivirus


Percentage of Phishing Incidents detected by Outsiders


Bottom Line: Training Users to Handle Phishing Attacks Slashes Costs

Interactive Training with Regular Phishing Tests & Reporting Yields Tangible Results

92 percent phish click rate reduction
Based on Results from over 300,000 users!

Our Solution: Employee Security Awareness Training


methodology for employee security awareness training

How it Works

This one-year program can either be fully outsourced where it's administered by our specialists, or clients can login to the portal to administer the tests and reporting themselves. Similarly, users can access training materials via our portal, or clients can import and run content with their existing Learning Management System.

Each burst of phishing emails is considered a campaign, typically executed weekly or monthly. Campaigns employ email and landing page templates from our library that resemble what cybercriminals use. Clients can customize the templates. Customization is mandatory for spear phishing tests.

Reporting on training and test results is automated. Numerous templates slice and dice this information in varied ways to appeal to different audiences. Automated reports tend to be monthly, coinciding with phishing campaigns. Clients can generate additional, customized reports.

Hackers and other criminals primarily target an organization’s personnel for phishing attacks. We offer additional training modules that help clients mitigate risks via other attack vectors. As with phishing, our system automates enrollment, reminders, tracking, and reporting.


We help transform your employees from unwitting targets to human firewalls. They become obstacles to hackers rather than conduits. The initial testing, training, and ongoing testing combine to not only elevate your users’ preparedness but sustain and institutionalize it.

Security maturity and cyber readiness require excellence in people, policy, processes, procedures, and technology. Executives find this program helps them affect the cultural change necessary among personnel. This lowers operations costs and barriers to further improvements in policy, process, and technology.

And, the success pervasively perceived by employees increases their willingness and motivation to hone training in other cybersecurity areas.

Robust Employee Phishing Testing


  • Customizable library of successful phishing templates
  • Clients can create/customize templates
  • Customizable landing pages
  • Targeted spear phishing campaigns with personalized data


  • Ongoing, year-round testing
  • Scheduled testing campaigns
  • (optional) Randomized campaigns with randomized templates
  • (optional) Skip weekends
  • (optional) More frequent testing for phished users

Test Responses

  • Email link clicks
  • Links clicked on landing pages
  • Data entered into landing pages
  • Opened MS Office or PDF attachments

Related Extras

  • Phishing Attack Surface: what employee emails are published on Internet (included)
  • Voice-phishing attacks (separate charge)
  • Domain spoof test (one-time)
  • Capture user compliance “Read and Attest” affirmations

Phishing Training
and Reporting

More User Training

Phishing Training

  • On-demand, browser based training
  • Auto-enrollment and follow-up emails for users
  • Point-of-failure training auto-enrollment
  • Available as SaaS (fully or self-managed) or can be run from client’s Learning Management System

Reports: Phishing Testing & Training

  • Automated reports to client following each phishing campaign
  • Filter/sort results by campaign date/time, campaign user-response (opened, link-click, attachment-open), email bounce, and more
  • Trends and user group comparisons
  • Top 50 and Individual user reports
  • Open and click history/rates by Browser/device
  • Who started, completed, never finished training

Mitigate Other People Risk Vectors

  • Training APT/Ransomware
  • Basics of Credit Card Security
  • Handling Sensitive Information Securely
  • Top 50 and Individual user reports
  • Mobile Device Security
  • Strong Passwords

By 2025, there will be 55.7 billion connected devices. Do you know if your product is secure?

Find Critical Vulnerabilities in Your Connected Devices

By 2025 there will be 55.7 billion connected devices worldwide, according to IDC. Can technology companies secure all these objects from threats? As the proliferation of interconnected products and devices grows, the need for securing devices, applications, data and communication increases.

With Internet of Things (IoT) devices, Operational Technology (OT) devices, smart devices and cloud applications becoming more ubiquitous in all environments, finding vulnerabilities in software and hardware is a requirement no manufacturer should overlook.

Ethical hackers from Tangible Security determine what harm can be done when cyber threats target your new or existing product. Using a range of unique penetration testing tools for testing connected devices, Tangible's product security testing mimics real-world hacking tactics and techniques that uncover hidden vulnerabilities in your device or application and provide realistic insights and practical results.

Tangible Security has honed this ethical hacker approach employing a full range of specialists and engineers who can work with and test different aspects of a product in parallel, minimizing impacts, and expediting time-to-market.

Typical engagements include:

  • Product Architecture Assessments:
    Assessment to understand the architecture of the system and identify potential risks.
  • Vulnerability Assessments:
    Provides a broad picture of the vulnerabilities affecting one or more systems and determine the scale of known security problems for prioritizing fixes.
  • Penetration Testing:
    Testing with attack simulations where security scenarios are identified and defenses are tested

Assessment Benefits

Finding security vulnerabilities and risks in products benefits from fresh eyes and experts skilled in emulating attackers. If you want someone to expose security risks that the best adversaries would find, then you need to hire ethical hackers as good as they are.

Tangible Security literally wrote the book on ethical hacking. Our engineering team has served on classified government projects and presented at major industry events. Every day, they help our customers find and fix security risks in their products before it's too late.

A Typical Engagement

After initially defining the scope and nature of your project, Tangible Security engineers either perform a Black Box assessment or review your product documentation and/or meet with your developers in more of a Gray Box or White Box approach.

The better we understand the intent, function, and ecosystem of the product, the more thoroughly we can search for security gaps and vulnerabilities.

Our findings reports are prioritized, structured, and detailed. We will assist your engineers with recreating and remediating the findings.

Frequently Found Vulnerabilities

  • Spoofable software updates
  • Identity and privilege flaws
  • Accessible, unencrypted binaries
  • Hidden tools hackers can run
  • Concealed physical ports with root access
  • Logging unnecessarily capturing sensitive data
  • Missing data input validation
  • Unpatched libraries and components
  • Unnecessary services running
Product Security Testing

Vulnerabilities and their exploitation by attackers of all skill levels and motivations, are driving the threat landscape.

- Gartner

Reduce risks by hiring independent, expert, ethical hackers
whether you have products already deployed or new ones soon to launch

Download Overview     Contact Us

Baking security into a product is over 10x more cost effective than patching vulnerabilities later.

Add Security at the Early Stages in Your Development Cycle

According to Gartner, over 80 percent of breaches are the result of exploits at the application layer. Security needs to be engineered earlier in the life cycle within modern software development and built into the way code is developed, instead of after a product release.

By adding security into the development process, Tangible can help implement a more effective, security-focused software development program and provide “fresh eyes” and objectivity that expose security gaps during development.

Secure Development Life Cycle

The Secure Development Life Cycle service formulates a project plan to refine and execute a road map with deliverables that transition your program development process to one that’s more secure, cost-effective, and competitive.

Tangible Security has helped couple rapid software development with security and risk management for developers of mission-critical applications in the G500, defense and intelligence communities for over 2 decades.

Reduce Total Lifecycle Costs for Software-based Products:

  • Implement an effective, security-focused software development program
  • Services that help expose security risks during development

SDLC Services Can Help With:

  • Security best practices training (OWASP, RMF, COSO, COBIT, ISO 7200X)
  • Formulating pragmatic security requirements
  • Identifying, mitigating threat vectors and developing threat models
  • Unit/functional/system security testing practices
  • Independent code reviews
  • 3rd party/open-source code vetting
  • Platform security hardening
  • Adversarial penetration testing
  • Rolling out a formal vulnerability handling policy


Tangible's security engineers and penetration testing engineers use the same methods and tactics as attackers to help software developers remediate security risks in their products and transition to security-focused software design.

Tangible Security can become a part of your team:
  • Provide virtual, on-demand services
  • Review threat models
  • Analyzing software binaries from suppliers
  • Provide a fresh set of eyes on source code

50% of companies will suffer damage caused by failing to manage trust in their SDLC.
- Gartner

Secure Remote Workers

Create and launch products that are Secure by Design

Download Overview     Contact Us

Professional ethical hackers train and conduct “War Games” with clients as a two to three day program to improve cyber readiness.

To improve your organization’s effectiveness at responding to high-risk cyber incidents, our ethical enterprise hackers:
  • Provide your personnel training, including scenario-specific table-top exercises
  • Conduct live exercises with them to practice what they were taught with the tools they have
  • Assess the strengths and weaknesses of their war game performance

Table-top exercises help connect-the-dots among: technology, policy, and process

Why You Need Threat Emulation

Military organizations have long conducted war games to educate and hone the skills of their soldiers, to improve the organization’s overall military preparedness. Military experts do not argue whether exercises should be conducted but how many should they run, for what scenarios, with what constraints.

The need for cyber war games for the enterprise is far greater. The enterprise can be attacked on any given day, again and again, with absolutely no warning. It is the unknown security holes that executives should fear most. The known ones can be fixed before hackers use them.

These war games help expose:
  • Flaws in your security policies and practices
  • Misunderstandings amongst your personnel as to their individual roles and procedures
  • Under-appreciated inter-dependencies among personnel/roles
  • Misconfigurations of tools that permit something that ought to be blocked or fail to capture data vital to responding effectively

Threat Emulation Scenarios

  •    Targeted malware attack
  •    Compromised email system
  •    Critical denial of service
  •    Lateral intruder movement
  •    Domain controller breach
  •    Mass data exfiltration
  •    Customer database leak
  •    Business partner hacked
  •    3rd party breach notification

How Threat Emulation Benefits You

For each of the covered scenarios, your personnel learn best practices that they must execute when cyber adversaries strike. The live war game exercises help them better understand these practices. More importantly, through exercises and the post-war game discussions with our experts, your personnel gain insight into how to institutionalize the lessons learned.
Enterprise executives get meaningful insight into the readiness of their organization to withstand the kind of cyber attack scenarios that have been harming organizations like theirs. If shortcomings are discovered, executives learn what they are, their significance, and potential next-steps for addressing them. After these next steps are completed, your organization is stronger.
And if ever asked about what you did to protect your customers from reasonably foreseeable risks, Threat Emulation enables you to assert that you went far beyond paper exercises to improve your organization’s security posture.

How Threat Emulation Works for You

Typical projects run two to three days, depending upon the scenarios covered. Customers can choose to cover different scenarios at different times, and for different personnel groups. Scenario training precedes war games. In selecting scenarios to cover, we help you identify the kinds of personnel to schedule into the project.
Threat emulation consists of specialized penetration tests whereby an ethical hacker emulates your adversaries by executing the same methods and tactics, but in a manner that does no harm. For example, the mass data exfiltration scenario employs fake data.
Threat Emulation projects wrap up with discussions between one or more of our ethical hackers and your personnel involved in the war games. They share their observations and lessons learned. Later, Tangible Security provides a report on the prioritized findings and recommended next-steps.