Test YourEmail & Web Defences

Deliver real-world malware replications via email and web to discover what reaches your users. Validate your defences with 800+ payloads across 100+ file types.

Explore payloads →
delivr.to/app/campaign-results
Delivered
42%
Blocked
38%
Quarantined
15%
Clicks
33
Global
You
Team
0+
Available payloads
0+
File types
0k+
Campaigns sent
0k+
Emails sent

Real-World Threat Emulation

Our payloads mirror the techniques, file types, and delivery methods used by real threat actors and malware strains, giving you the most realistic test of your email and web defences.

Techniques
Threat Groups
File Types
Malware

Why Choose delivr.to?

Empower your security team with data-driven insights

Validate Posture

Take a data-driven approach to improving your email and web security. Use our growing suite of 800+ payloads to demonstrate exactly what threats can land in your inbox, and in what condition.

Highlight Gaps

Test attachments, links, and inline payloads to assess sandboxing and safe-link controls, then use our tailored insights to prioritise remediation.

Stay Ahead of Threats

Emulate the latest offensive tradecraft, from Adversary-in-the-Middle to callback phishing. Tailor custom campaigns to test everything from CEO impersonation to gift card scams.

How It Works

Test your email and web defences safely, continuously and autonomously.

Select Your Payloads

Choose from our library of real-world threat emulations based on the attack techniques, file types, or threat actors you want to test against.

  • Target specific threat actor TTPs
  • Emulate prevalent malware strains
  • Select weaponised file types (SVG, PDF, ZIP, etc.)
  • Use curated templates for common scenarios
interview.msc
invoice.iso
Midnight BlizzardKimsukyHTMLMSCHTML SmugglingContainersISO

Deliver Your Payloads

Send payloads to test mailboxes via email or host them for browser-based download. delivr.to handles realistic formatting and proper delivery for both channels.

  • Email delivery with attachment, link, or inline methods
  • Web delivery for browser-based download testing
  • Schedule or launch immediately
  • Configure hands-off repeating campaigns

Automated Assessment

Our suite of integrations detect what landed, and in what condition, as well as what was blocked or quarantined. Works for both email and web delivery campaigns.

  • Real-time delivery detection
  • Browser download monitoring and verification
  • Attachment and link rewriting verification
  • Alert collection from security tools
invoice.docm
report.iso
update.html
notice.lnk

Track Results Over Time

Build a comprehensive picture of your email and web security posture. Compare results across campaigns, measure improvement and demonstrate return on investment.

  • Historical trend analysis
  • Campaign comparison reports
  • Threat technique coverage gaps
  • Executive-ready dashboards
Jan
Dec

Built for Security Professionals

Whether you're defending, attacking, or consulting - we've got you covered

Security Teams

Integrate with your Microsoft 365 and Google mailboxes, and security tools likes Microsoft Defender 365 and Sublime Security, to automatically record what payloads landed in your inbox, and in what condition. Want to confirm links were rewritten and active content was stripped? We can provide the answer.

Learn more

Purple Teams

Your one-stop shop for payload emulation. Find safe and accurate replications of the latest attack techniques, including zip smuggling & polyglot files, and test your defences across email and web. Visit our research blog.

Learn more

Consultants

Deliver more value to your clients with detailed deliverability tracking and actionable insights. Our automated recommendations help you identify gaps in email and web security controls, while team collaboration features let you share templates and results across engagements.

Learn more

Simple, Transparent Pricing

Choose the plan that fits your security testing needs

Starter

Our most cost-effective plan. 10 downloads and 100 emails a day, perfect for no-frills email and web security validation.

£99per month (£999 per annum)
Subscribe
  • 100 emails a day
  • 10 payload downloads a day
Most Popular

Premium

Unlimited integrations, tailored insights & recommendations, and 2000 emails a day for a comprehensive view of your email and web security posture.

£299per month (£2,999 per annum)
Start Trial
  • 2000 emails a day
  • Unlimited payload downloads

Enterprise

All you can eat everything, plus Team collaboration, custom payloads & templates, full rebranding, and tailored onboarding.

Let's talk.Monthly & annual options
Book Demo
  • Unlimited emails
  • Unlimited downloads

Frequently Asked Questions

Common questions about email security testing with delivr.to

Purple teaming combines offensive and defensive security testing. For email, it means sending real threat payloads through your production mail infrastructure to measure what actually reaches users' inboxes. This validates your email security controls against techniques used by real threat actors, rather than relying on theoretical assessments or simulated attacks.

Traditional phishing simulation tools send safe replicas to test user behaviour. delivr.to sends real payload file types and delivery techniques through your production email gateway to test your technical controls. The platform measures whether payloads are blocked, quarantined, or delivered, giving you ground-truth data on your email defence effectiveness.

The platform includes 800+ pre-built payloads across 100+ file types, mapped to MITRE ATT&CK techniques. These cover HTML smuggling, SVG smuggling, WebAssembly smuggling, macro-enabled documents, script files, archive containers, QR code phishing, credential harvesting, and more. All payloads are modelled on real threat actor tradecraft observed in the wild.

delivr.to integrates with Microsoft 365 and Gmail for automatic delivery status tracking, Microsoft Defender 365 for detection correlation, and Sublime Security for detection rule development and testing. A REST API is available for integration with SOAR platforms and custom tooling.

Yes. Payloads are designed to test your defences without causing harm. They trigger the same detection mechanisms as real threats but do not execute malicious actions. You control which email addresses receive payloads, and all campaigns are logged with full audit trails. Campaigns can be sent to validated addresses that you own.

You can run your first campaign within minutes of signing up. Connect your mailbox (Microsoft 365 or Gmail), select payloads from the library, choose your target email address, and launch a campaign. Results are tracked automatically, showing which payloads were delivered, blocked, or quarantined.

Our Research

Insights and analysis from the delivr.to team on the latest phishing techniques, payload delivery, and email and web security trends

Open-Sourcing 140+ Weaponisable File Type Samples: Test What Your Defences Actually Block

Open-Sourcing 140+ Weaponisable File Type Samples: Test What Your Defences Actually Block

Do you know which file types your email gateway actually blocks? Not which ones it claims to block — which ones it blocks when a real file hits the wire?

May 6, 2026Read more
Bob’ll *Fix It: A Field Guide to the *Fix Family of User-Assisted Execution Techniques

Bob’ll *Fix It: A Field Guide to the *Fix Family of User-Assisted Execution Techniques

If you’ve been watching the phishing landscape over the past eighteen months, you’ve noticed that user-assisted execution has gone from a curiosity to the dominant initial access pattern in circulation. What started as ClickFix has spawned a growing family of variants, each finding a new way to trick users into executing attacker-supplied commands. FileFix, DragFix, InstallFix, ToastFix. The naming convention practically writes itself, and the variations keep coming.

clickfixdrag-fixfile-fix+1
Apr 14, 2026Read more
Validating Browser Defences with Push Security and delivr.to

Validating Browser Defences with Push Security and delivr.to

TL;DR — delivr.to now integrates with Push Security. Run a web campaign, and any detections raised by the Push browser extension during the test are automatically correlated back to the specific payloads you sent. You get a single view covering whether each payload reached the browser, what happened to it on disk, and whether Push observed anything suspicious in the interaction — including AiTM and BiTM flows. Available today on Premium and Enterprise plans at no extra cost.

purple-teamingadversary-emulationpurple-team
Apr 12, 2026Read more
WASM as a BYOI Target

WASM as a BYOI Target

In our previous research, we explored how Rust compiled to WebAssembly could reconstruct and deliver payloads entirely client-side, bypassing JavaScript-focused detection rules. That work lived inside the browser sandbox.

red-teaminitial-accesspurple-team
Mar 30, 2026Read more
Beyond the Inbox — Introducing Web Campaigns

Beyond the Inbox — Introducing Web Campaigns

For over three years, delivr.to has helped security teams answer a deceptively simple question: what actually reaches users’ inboxes? That question hasn’t gone away — but it’s no longer the only one worth asking.

purple-teamweb-securityadversary-emulation+2
Mar 19, 2026Read more
DragFix: And you thought ClickFix was a drag?

DragFix: And you thought ClickFix was a drag?

ClickFix has become one of the most prolific social engineering techniques in the threat actor playbook. The premise is simple: present an end user with a convincing lure — a fake CAPTCHA, an error dialog, a browser update prompt — and instruct them to paste a command into Run (Win+R) or macOS’s Terminal.

purple-teamoffensive-securitymalware+1
Feb 21, 2026Read more
delivr.to’s Top 10 Payloads (Dec ‘25): Filejacking, Polyglots and Esoteric Smuggling

delivr.to’s Top 10 Payloads (Dec ‘25): Filejacking, Polyglots and Esoteric Smuggling

Twice a year, we take a look at the notable developments in phishing and initial access. Our Top 10 captures the tradecraft that mattered most over the past six months — not just what was new or novel, but what proved effective — as adversaries refined social engineering, payload delivery, and defence evasion in increasingly covert ways.

phishing-attackspurple-teamemail-security+1
Dec 18, 2025Read more
Emulating AiTM and BiTM Attacks

Emulating AiTM and BiTM Attacks

Adversary-in-the-Middle (AiTM) and Browser-in-the-Middle (BiTM) techniques have become core to modern phishing campaigns. Attackers are no longer just collecting usernames and passwords. They’re stealing live, post-MFA session cookies — and using them to hijack accounts undetected.

aitmpurple-teamingadversary-emulation
Aug 19, 2025Read more
FileJacking: Exfiltrating Mapped Drives from the Browser

FileJacking: Exfiltrating Mapped Drives from the Browser

A recent research post from Print3M highlighted how Chromium File System APIs could be used for a variety of initial access scenarios. Used in the JavaScript of an HTML attachment or a hosted site, this could enable the delivery of payloads, as well as the backdooring of existing user files.

purple-teamemail-security
Aug 11, 2025Read more
delivr.to’s Top 10 Payloads (July ‘25): FileFix, Zip Smuggling and QRLJacking

delivr.to’s Top 10 Payloads (July ‘25): FileFix, Zip Smuggling and QRLJacking

Twice a year, we dissect the most compelling developments in phishing and initial access. This Top 10 highlights standout tradecraft — from emerging research and evolving techniques to today’s most prevalent methods — used by adversaries to deliver payloads, harvest credentials, and bypass defences.

email-securitypurple-team
Jul 13, 2025Read more
View all posts

About Us

Launched in 2023, we're dedicated to empowering individuals and organisations across the globe with the tools they need to test and enhance their email and web security.

James Coote
James Coote
Co-Founder

James has a decade of experience delivering attack simulation and purple teaming services, and has spoken on the topic at conferences such as Blackhat, Defcon & TROOPERS. He was also a member of the UK Armed Force's Joint Cyber Unit.

Alfie Champion
Alfie Champion
Co-Founder

Alfie authored 'Practical Purple Teaming' and specialises in attack detection and adversary emulation. He helps organisations validate their detective capabilities through collaborative offensive engagements, and has delivered talks and training at BlackHat, Defcon and RSA.

Not sure which plan is right for you?

Let's chat! We'll find the best solution for your security testing needs.

Contact SalesBook a Demo

We use cookies!

Hi, this website uses essential cookies to ensure its proper operation and tracking cookies to understand how you interact with it.