Your employees are your largest attack surface. We harden them.
Firewalls don’t open phishing emails. Antivirus doesn’t answer the phone when an attacker pretends to be your bank. The endpoint protection you’re paying for can’t stop an employee from clicking a link, wiring money to a spoofed vendor, or handing over a password to someone calling from “IT support.”
The data is consistent across every credible report in the industry: the overwhelming majority of breaches start with a person, not a system. Phishing emails, smishing texts, vishing phone calls, and social engineering at the front desk — these are the front door, and most small businesses have left it propped open.
Pendergrass Consulting builds and delivers cybersecurity training programs that turn your employees from your weakest link into your first line of defense. Real-world scenarios, ongoing simulated attacks, and measurable results — designed specifically for small business teams who don’t have a full-time security officer.
We don’t run a one-hour lunch-and-learn and call it training. We build a program that runs all year, measures who’s improving, and shows you exactly how much smaller your attack surface is getting.
1.
Phishing & Email Defense
Most breaches start in the inbox. We train your team to recognize phishing, spear-phishing, and business email compromise — then we test them with safe, simulated phishing campaigns so the lessons stick. Every employee gets a baseline score, training tailored to their gaps, and re-tested monthly.
2.
Social Engineering Defense
Attackers don’t always use email. They call your front desk pretending to be your bank, text your bookkeeper pretending to be the owner, or show up wearing a delivery uniform asking for “five minutes in the server room.” We teach your team to recognize the patterns and respond correctly — without slowing down legitimate work.
3.
Voice & SMS Threats
Smishing texts and vishing calls have exploded as email filters have gotten smarter. AI voice cloning has made the problem worse. We train your employees on the specific scripts attackers use over the phone and via text — wire transfer fraud, fake MFA prompts, gift card scams, executive impersonation — and how to verify before they act.
4.
Measurable Results
We don’t ask you to take our word for it. Every program includes monthly reporting on click rates, report rates, and improvement trends per employee and per department. You see exactly where your risk is — and exactly how fast it’s coming down.
Services we provide
Before we train, we measure. Every program starts with a baseline phishing simulation and a short knowledge assessment so we know exactly where your team stands. You get a written report showing risk by employee, by department, and by attack type — and we use it to build a training plan that targets your real gaps, not generic content.
Ongoing, realistic phishing simulations sent to your team throughout the year — not all at once, not predictable, not the same template every time. Employees who click get immediate, in-the-moment training. You get reporting that shows who’s improving, who needs more support, and where your real risk lives.
On-site or remote training sessions led by an actual security engineer — not a recorded video. We cover the threats your team is actually seeing, walk through real attack examples, and answer the questions your employees are too embarrassed to ask in a video course. Sessions are recorded for new hires.
Dedicated training modules for the threats that bypass email entirely — vishing calls, smishing texts, AI voice cloning, fake IT support calls, and wire transfer fraud. We use real attacker scripts and recordings so your team recognizes the patterns the moment they hear them, not after the money’s gone.
Training only works when it’s backed by clear procedures. We help you build the policies your team needs to act on what they’ve learned — wire transfer verification, vendor change protocols, password and MFA standards, incident reporting, and acceptable use. Practical, plain-English documents your team will actually follow.
If you handle client data, payment information, or operate in a regulated industry, your insurance carrier and your auditors will ask for proof of security awareness training. We deliver monthly reports, completion records, and program documentation formatted for cyber insurance applications, HIPAA, PCI, and similar requirements.
Could You Spot a Real Attack?
How sharp is your cyber instinct?
A free, 12-question quiz from Pendergrass Consulting. Pick a topic, work through realistic scenarios, and see where you land. Every question comes with a short explanation — so even when you miss one, you walk away with something useful.
