Like Metasploit, SET is a work in progress. The security community has embraced the capabilities and potential of SET and continues to contribute to making it better. Social-engineering attacks are on the rise, so ensuring that you can properly test these attack vectors is imperative for any comprehensive security program.

As organizations and vendors get better at securing their network perimeters with software and hardware solutions, we often forget how easy it is to call or email a user and convince him to click or download something that can be used for an attack. Social engineering in general takes skill and practice, and a good attacker knows that he needs to ensure that the attack is specially crafted to target weaknesses in his targets’ company user awareness programs or systems. A skilled attacker knows that spending a few days researching an organization, looking at Facebook or Twitter pages, and determining what may trigger someone to click hastily is just as important as the tools used behind the attack.

Tools like SET are useful to attackers, but always remember that as a penetration tester, your skill is defined by your creativity and your ability to navigate difficult situations. SET will aid you in attacking your targets, but, ultimately, if you fail, it’s probably because you weren’t creative enough.