Find the Physical Attack Path Before They Do.
Tailgating, badge cloning, lock bypass, on-site network drop placement. Coordinated with the digital and human vectors of a full-scope red team.
Definition Physical red team engagements are authorized adversarial simulations of physical-access attacks, including tailgating, badge cloning, lock bypass, and on-site network access placement, coordinated with digital adversary simulation.
Last reviewed:
File 01 · Definition
What It Is
Physical engagements test the part of your security program that does not show up in a network diagram: the people at the front desk, the badge readers in the elevator lobby, the locks on the comms closet.
We operate under signed authorization with a designated trusted agent and pre-agreed rules of engagement. The goal is to demonstrate impact safely, not to embarrass anyone.
So much of modern attack tradecraft starts with a network position the adversary obtained physically: a USB dropped, a network jack tapped, a badge cloned at lunch. Most organizations have tested their network for years and their building never once, which means the front desk, visitor screening, and badge readers have never been challenged by someone who does not work there.
File 02 · Threat Model
Why Companies Need This
- 01 You have offices. The attack surface includes the lobby.
- 02 You have shared coworking floors. Trust boundaries are softer than you think.
- 03 You handle regulated data on-site. Physical access is in scope for the regulator.
- 04 Physical never made it into scope. Most organizations have tested their network for years and their building never once.
File 03 · Deliverables
What You Get
Detailed technical report
CVSS scoring, attack narratives, and proof-of-concept evidence
Executive summary
Board-ready language your leadership team can act on
Remediation guidance
Prioritized, actionable fixes, not just a list of CVEs
Verification retest
We confirm your fixes actually close the gaps
Real-time comms
Dedicated Slack channel for the duration of the engagement
Compliance documentation
Mapped to SOC 2, PCI DSS, HIPAA, ISO 27001, and CMMC
File 04 · Methodology
Our Process
OSINT & Pre-Op
Building, schedule, and personnel OSINT. Rules of engagement signed with the trusted agent.
Access Attempts
Tailgating, social engineering of front desk, badge cloning if scoped, after-hours access where applicable.
On-Site Operations
Network drop placement, comms closet access, sensitive document collection (with chain-of-custody discipline).
Bridge to Digital
Hand-off of the physical foothold to the digital red team for end-to-end adversary simulation.
Reporting & Debrief
Documented attack paths, photographic evidence, and a live debrief with the security and facilities teams.
File 05 · Intel Brief
Frequently Asked Questions
Q1 Is this safe?
Yes. Every engagement runs under signed authorization with a designated trusted agent and pre-agreed rules of engagement. Get-out-of-jail letters are carried on-site.
Q2 Do you do destructive entry?
Never without explicit, signed authorization. Default is non-destructive entry only.
Q3 Can you coordinate with our facilities team?
Yes. The trusted agent on the client side coordinates with whoever needs to know on a need-to-know basis.
Talk to an Operator
Your Badge Readers and Front Desk Have a Failure Mode. Let Us Find It First.
A 30-minute scoping call with the operator who will walk your building, not a sales rep.
Related
Where physical testing connects
The digital and human vectors a physical engagement coordinates with, and the broader program it belongs to.
Adversary simulation
The digital end-to-end campaign the physical foothold hands off to.
Social engineering testing
The human vector that gets an operator past the front desk.
Internal network penetration testing
What the on-site network drop is used to reach.
Red teaming services
Full-scope adversary simulation across physical, digital, and human.