Realistic phishing simulations, role-based e-learning and audit-ready reporting — standard for every company, with optional GxP-specific modules for regulated industries.
The data is consistent across every industry report: attackers aren't breaking in — they're being invited in, one convincing email at a time.
of successful cyberattacks start with a phishing email.
Untrained employees click simulated phishing emails about one in three times.
Average cost of a data breach in the pharmaceutical sector.
You can spend millions on firewalls, EDR and zero-trust architecture — and still lose the whole stack when someone in QA clicks the wrong link on a Tuesday afternoon.
Our core programme — phishing simulation, role-based e-learning and audit-ready reporting — works for any organisation. For clients in regulated industries, we layer on GxP-specific modules that a generic platform can't offer.
Every engagement includes the core: realistic phishing simulation, role-based e-learning, and audit-ready reporting. It works for any company — IT, manufacturing, services, professional firms. This is what most clients need.
For pharma, biotech and medtech, we layer on modules most platforms don't have: 21 CFR Part 11 in daily work, ALCOA+ data integrity, validated-system login hygiene, and eQMS / LIMS / MES phishing scenarios. Added during curriculum design.
The quarterly evidence pack maps your programme to ISO/IEC 27001, NIS2, 21 CFR Part 11 and EU Annex 11 — explicitly referenced, not inferred. This is standard for every engagement; critical if you're regulated, still useful if you're not.
Built and delivered by MSET as a single managed service — not a pile of disconnected tools. One point of accountability, one quarterly report, one audit-ready evidence pack.
Realistic, controlled phishing campaigns running on our platform — industry-tailored templates, targeted scenarios, and instant teachable moments when users click. We run the campaigns; you see the results.
A modular curriculum delivered through our learning platform, with content and length calibrated to the role — lab, quality, IT, finance, executive.
The modules generic platforms don't have. Mapped to validated-system workflows and data-integrity expectations in pharma, biotech and medtech.
Board-ready and regulator-ready. Exportable evidence packs with per-user history, risk scores over time, and attestation records.
Content is updated continuously to track the evolving threat landscape. Annual attestation cycles are built in to keep your compliance position current.
A typical rollout runs 8–12 weeks from kickoff to measured improvement. Pilot first; expand when the numbers move.
Unannounced phishing campaign across the organisation to establish click-rate, report-rate and risk hotspots. No training yet — pure measurement.
We design the curriculum against your roles, baseline findings and — if you're in a regulated industry — your frameworks. This is where optional GxP-specific modules are added.
Role-based e-learning rolls out with a communications plan from leadership. Phishing simulations continue on a monthly cadence. Repeat clickers receive targeted remediation.
Quarterly reporting to leadership with risk-score trends, attestation status and audit-ready evidence. Programme calibrated against the numbers.
A quarterly dashboard your CISO, QA director and auditors all read the same way.
Short answers to the questions we get most often before a pilot.
A standard pilot runs 8–12 weeks: two weeks to establish a baseline, two to design the curriculum against your roles and frameworks, and then six to eight weeks of active training and simulation. At the end of the pilot you get your first quarterly risk report.
Smaller organisations (under ~100 users) can run a condensed pilot in six weeks.
The programme runs on infrastructure we operate on your behalf. Phishing simulations, e-learning and reporting are delivered through our platforms; MSET manages campaign design, content localisation, remediation and reporting.
Data residency and processing details are documented in the DPA you sign with us before the pilot starts — this matters for pharma and we don't hand-wave it.
Content, phishing templates and reporting are delivered in English as standard, with Nordic and other languages available on request. We localise to the language your teams actually work in — not a compromise list limited to one region.
GxP-specific modules are reviewed with your QA team before rollout to ensure terminology matches your internal SOPs.
The programme content, cadence and reporting are explicitly mapped to 21 CFR Part 11, EU Annex 11, ISO/IEC 27001, and NIS2. The quarterly evidence pack references these frameworks directly, so your auditors see the mapping rather than inferring it.
For medical-device clients, we also map to the cybersecurity expectations in ISO 14971 and the EU MDR.
Pricing is per-user per-year with a minimum pilot size. Pilots are priced separately from the annual engagement so you can validate the programme before committing. We'll quote after a short scoping call — there's no standard price list because the curriculum design is calibrated to your roles and frameworks.
Repeat clickers receive targeted remediation: shorter, more frequent micro-modules on the specific scenarios they fell for, and we escalate visibility to line managers after the third failed simulation. We don't publicly shame users — that backfires — but we do make sure managers have the data they need.
A baseline in two weeks. A measurable drop in click-rate in eight. An audit-ready evidence pack in twelve.
We store and handle your contact-form details only to reply to you. No tracking cookies, no analytics profiling. See our privacy policy for the full picture.