When one in nine users will encounter email-based malware, simple phishing campaigns aren't enough, and annual tests conducted by third parties won't keep you safe. Companies rely too heavily on their annual security assessments and focus too little on internal efforts to identify meaningful gaps in user knowledge. To prepare and defend against highly motivated and capable attackers you must be the attacker. This means using more than built-in phishing tools that come with your next-next-next-next10 gen ATP email system. Your campaigns need to mirror real world attacks. Using real world examples from my experience as a security professional I will demonstrate the impact a well-crafted campaign can have. By using malware not only do users get a better visual as to how an attacker crafts a campaign, you get better user data. Did they click? Did they enter credentials? Did they install malware? Did they forward it? Did they report? Did your next-next-next-next gen antivirus detect it? This is the kind of actionable data security teams need to collect and analyze at regular intervals to not only determine overall risk but reduce it. Using the data collected during these tests I will show how this kind of user awareness has reduced my organization's risk by over 50% through education and compensating controls. My presentation will focus entirely on free and opensource tools to help organizations with little or no budget take their campaigns to the next gen, I mean level. It will also cover the trials and tribulations of interdepartmental conflict, successful campaigns, and winning the good fight for the sake of your company. Tools I will focus on are: GoPhish, Koadic, BeEF, and Empire. My presentation will include sample pages created to look like Office 365 login pages, macro payloads embedded in word documents, BeEF payloads, and Koadic Command and Control. At the end of the presentation all the examples and code will be made available via github."