How I Got In is a collection of real-world stories based on actual red team and social engineering attacks from our engagements. These are real stories from the field. No hypotheticals, no made-up drama. Just true accounts of how we got in during client engagements using techniques inspired by what real attackers use. Sometimes it started with a phone call. Sometimes it was a phishing email, a USB drop, or a fake pretext. But the outcome was always the same: we got in.
This series is not just about showing how social engineering attacks work. It’s also about letting you feel what it’s like to be there. You’ll follow our thought process, see what we saw, and maybe even picture yourself doing it. Whether you work in offensive security, blue team defense, compliance, or just enjoy a good security read, these stories are here for you.
For us, this was some of the most fun work we’ve done. It was rewarding, eye-opening for the clients, and just genuinely interesting. That’s why we’re sharing them. Not to sell anything, but because the stories are too good not to tell. These are jobs we’ve done over many years and we wanted to share the best ones with you. Maybe you’ll learn something. Maybe you’ll get an idea for your next assessment. Or maybe you’ll just enjoy the read.
Table of contents
Episode List
Episode 1:
How I Got In: The Raffle Phishing Campaign
A fake raffle. A phone call. A macro-laced Excel file. This phishing campaign landed us a shell on the CEO’s machine and full domain admin access, all without triggering a single alert.
Episode 2:
How I Got In: Bypassing Bank Security (Part 1)
An audit team. A borrowed badge. A wireless drop, followed by a branch bank pretext with spoofed emails and a real ID. And finally, a night entry through the front door using nothing but a can of air. From shadowing into an operations center to impersonating a technician and gaining access to a safe and the bank’s cashier checks, this one had it all.
Episode 3:
How I Got In: Bypassing Bank Security (Part 2)
We returned at night to test the second operations center. A simple trick got us through the door. From there, we got on the network, bypassed physical controls, opened a safe, and gained access to the bank’s cashier’s checks. Nobody noticed.
Episode 4:
New episode to release soon.
How These Stories Were Collected
Everything in this series comes from real social engineering attacks we’ve performed during authorized client engagements over the years. These aren’t hypothetical scenarios, dramatized case studies, or stitched-together anecdotes. They’re pulled directly from the field.
Every tactic you see, whether it was impersonating an employee, spoofing an email, bypassing a lock, opening a safe using a default combination, or exploiting trust at the front desk, was used during a live assessment. The stories are based on actual events, real compromises, and real lessons learned. The only things we’ve changed are names, locations, and other details to protect confidentiality. The rest is as it happened.
We didn’t write this series to show off, and we’re not trying to make social engineering attacks seem glamorous. Our goal is to show how they actually unfold. Quietly. Naturally. Through a mix of human behavior, overlooked controls, and real decisions that open doors.
This is the part of offensive security that doesn’t always make it into reports or slide decks. It’s what red teamers talk about over coffee after a job. The good stories. The weird ones. The moments that made us pause and think, “Did that really just work?”
We’ve documented everything not just because it’s interesting, but because it’s useful. These episodes are here to show what social engineering attacks look like in the wild: how they start, how they escalate, how they succeed, and what could have stopped them.
Why These Stories Matter
Most people think of social engineering attacks as phishing emails, fake invoices, or scam phone calls. And while those are common, they’re just one piece of a much larger picture. The truth is, real attackers don’t limit themselves to inboxes. They look at every part of your organization from your buildings, your people, your habits, to the assumptions baked into your daily workflow.
That’s why these stories matter.
In every episode, we show how small oversights led to full compromises. It wasn’t always a lack of technology or its configuration. In fact, many of these environments had firewalls, MFA, cameras, badge systems, next-gen AV, and written policies. But the attackers still got in, because security only works if people know how to use it and understand what to look for.
The social engineering attacks and red team tactics we describe here are based on real-world pressure testing. They show how attackers think, how they observe behavior, and how they slowly earn or steal access in ways that look normal from the outside. These are the kinds of methods that get missed in tabletop exercises, overlooked in annual training, or underestimated by decision-makers.
Whether you’re part of a red team, a blue team, or responsible for compliance, you’ll see why these stories hit harder than checklists. They show what breaks down when security gets too comfortable, and they highlight where your defenses may already be vulnerable.
If these stories help you find one blind spot or start one important conversation with your team, they’ve done their job.
Stay Ahead of Social Engineering Attacks
Most successful social engineering attacks don’t rely on advanced exploits or complicated tools. They rely on small gaps, such as unlocked doors, unverified emails, assumptions made at the front desk, or habits no one questions until it’s too late.
The stories in this series highlight how attackers find those gaps and use them to gain access. They show what happens when controls look good on paper but break down in practice.
Use these stories as a gut check. Ask whether your organization would have caught the same moves. Whether someone would have asked the right question. Whether that door would still be open, or that policy still ignored.
The point isn’t fear. The point is awareness. Because every environment has blind spots. The difference is whether anyone’s looking for them.
FAQ
Yes. Every story in this series is pulled from a real red team or social engineering attacks from actual engagements we’ve completed. The techniques worked. The compromises were successful. Only client-identifying details have been changed.
.
Always. These are authorized tests with a signed scope of work, clear boundaries, and communication with the client and, when needed, law enforcement. Nothing in this series was done illegally or without consent.
.
Absolutely. They’re written to be both educational and engaging. We’ve had clients use them in awareness briefings, tabletop exercises, and even as reading assignments for security staff. Just credit the source.
.
Because it’s worth sharing. We’ve seen how much impact these stories have had inside client teams. People remember them. They talk about them. They learn from them. That’s reason enough.
