Defend · Free phishing audit

Pressure-test your AP team.
First ten audits are free.

With your written consent, we'll send a real-looking phishing email to your accounts-payable contact, debrief with your team, and hand you a one-page remediation roadmap. No public shaming, no recording, no upsell — we're a 501(c)(3).

What we need from you to schedule it:

• Owner or shop-lead consent (one email reply is enough).
• A 30-minute debrief slot once the audit completes.
• A working email address for the AP person we'll target.

Is this legit? Four quick answers before you fill anything out.

We're a 501(c)(3) nonprofit.: Blue Collar Labs Academy, federal EIN 42-1853577. Audits are part of our charitable program — not a sales funnel.
A real founder, not a form.: Paul Mantello runs BCL out of Middletown, NJ. Decade in the trades, now building AI tooling for shop owners. More on /about.
We run the same audit on ourselves.: Our own controls, incident response plan, and posture are public. See /trust — same checklist we'll grade your shop on.
Free during Year 1 — here's why.: We're building an anonymized case-study library to help the next 500 shops. Your data is aggregated, your shop name is never published, and you keep your full report.

Free audit intake

Tell us about your shop.

Five fields. Two minutes. We reply within 48 hours with next steps or a waitlist position.

Shop name Your email We'll reply here. The AP person we test won't see this email. Trade Who handles invoices and wire payments?

Quick posture check (4 yes/no)

Honest answers help us tune the audit. No wrong answers — that's the whole point.

2-factor (2FA / MFA) is turned on for everyone's email. We have a written rule: any wire / ACH / banking change gets a phone callback to a known number before it goes through. The team has done some kind of phishing/scam training in the last 12 months. If we got hit, we'd know who to call in the first hour.

When could you do a 30-minute debrief? Anything we should know?

By submitting, you authorize Blue Collar Labs to contact you to schedule a consent-based simulation. No charges. No hidden upsell. We're a 501(c)(3).

What an audit looks like

1. Consent call (15 min). Confirm scope, the AP person we'll target, and what's off-limits.
2. Sim (1–3 days). One realistic phishing email. We log clicks, replies, attachments — no malware, no data exfil.
3. Debrief (30 min). Walk the team through what happened, what tipped (or didn't), and the one rule that would have stopped it.
4. One-page roadmap. The three controls to put in place this month, in order. Plain English.

What we will not do

• Publish your shop name, ever.
• Try to sell you software.
• Audit a shop without explicit written owner consent.
• Share results with anyone outside your team.

Don't want the live audit?

The free Small-Shop Defense Pack walks you through the same controls in a printable PDF. No call required.

Pressure-test your AP team. First ten audits are free.

Tell us about your shop.

Pressure-test your AP team.
First ten audits are free.