Browse our range of eBooks from the Wizarding World. A host of languages and a world of magic, all at your fingertips.
Terranova’s desktop simulations never flagged it. The corporate web proxy never saw it. The flank is complete. Terranova famously advocates for positive reinforcement—never shaming users who fail simulations. Psychologically, this is sound. But sophisticated attackers have weaponized this culture of psychological safety.
When a C-suite executive’s legitimate email account is hijacked via token theft (not a password phish), the resulting malicious email comes from a known, trusted sender. It passes the "Terranova test." No spoofed domain, no odd grammar—just a real email from a real boss asking for an urgent gift card purchase or wire transfer. The training never triggers because the user did everything correctly. The flank succeeded because the trust was legitimate, not simulated. Terranova’s core metric is the email click rate. Attackers have simply moved the battlefield.
An email arrives that looks like a multi-factor authentication prompt or a shared document notification. It contains a benign-looking QR code. The user is trained to check URLs—but a QR code hides the destination. They scan it with their personal phone, which lacks the corporate email security filter. The phone opens a perfect replica of the Microsoft 365 login page. The user enters their credentials. The attacker now has them.
Terranova’s desktop simulations never flagged it. The corporate web proxy never saw it. The flank is complete. Terranova famously advocates for positive reinforcement—never shaming users who fail simulations. Psychologically, this is sound. But sophisticated attackers have weaponized this culture of psychological safety.
When a C-suite executive’s legitimate email account is hijacked via token theft (not a password phish), the resulting malicious email comes from a known, trusted sender. It passes the "Terranova test." No spoofed domain, no odd grammar—just a real email from a real boss asking for an urgent gift card purchase or wire transfer. The training never triggers because the user did everything correctly. The flank succeeded because the trust was legitimate, not simulated. Terranova’s core metric is the email click rate. Attackers have simply moved the battlefield. outflank terranova security
An email arrives that looks like a multi-factor authentication prompt or a shared document notification. It contains a benign-looking QR code. The user is trained to check URLs—but a QR code hides the destination. They scan it with their personal phone, which lacks the corporate email security filter. The phone opens a perfect replica of the Microsoft 365 login page. The user enters their credentials. The attacker now has them. Terranova’s desktop simulations never flagged it