Over the past 10 years, organizations have spent time, resources and considerable financial investments to protect their external perimeter from potential information security threats. Most advanced threat agents know if and when they bypass the hardened perimeter, successfully compromising assets within the internal environment is trivial, with very few controls in place to stop a focused and motivated intruder. This talk will discuss why spear phishing penetration testing is a necessary exercise for all organizations. We will walkthrough and demonstrate live our methodology that has proven extremely effective on numerous engagements. We will also focus on why advanced techniques should be used to assess internal user environments as a whole and that approaching a social engineering exercise as a user awareness exercise is not beneficial for an enterprise.