Launch phishing emails in waves (not all at once) - Conduct vishing calls at appropriate times - Execute physical social engineering (if in scope) - Monitor and record all results - Be prepared to stop if the client requests it