Every organization has phishing training, but almost none can answer the question “which roles are actually the most vulnerable, and why?” So we asked over two dozen experienced red teamers, pentesters, social engineers and threat hunters about two dozen questions to find out, then turned their collective expertise into PhishScore, an open ‘scoring engine’ that rates any organizational role’s spear phishing susceptibility on a 0-100 scale.

Some of what the practitioners told us lines up with what you’d expect, but a lot of it doesn’t. Turns out authority isn’t the psychological lever everyone assumes it is, your phishing training program probably isn’t the thing protecting your best performers, and the most important part of a phishing email isn’t who it’s from. Also, phishing is just digital marketing with a black hoodie on.

This talk walks through our methodology, the findings, and a live demo of PhishScore, showing how internal security teams, red teams, and blue teams can use expert-validated intelligence to prioritize the human attack surface instead of guessing at it.