Reading Time: 18 minutes

---

TL;DR: In our experience, even organizations that you’d think are really solid often have serious gaps in their physical securitys—simply because they’ve never put their defenses to the test. And those that have invested heavily in technology frequently overlook the human factor, which remains one of the weakest links.

In this post, we share a practical framework for building a physical security service from the ground up. We walk through how to get started with an assessment, the key steps involved in the planning phase, the tools and methods we rely on, how we approach testing and evidence collection, and finally, how we present findings using real-world attack scenarios and a structured scoring system.

1 – Introduction

This blog post explores physical security as an important aspect of information security. The perimeter of physical security refers to the clearly defined boundary that surrounds and protects a specific area—such as a building, data center, or corporate facility—and is secured through a comprehensive set of measures. These include physical barriers (fences, walls, reinforced doors), surveillance systems (such as CCTV cameras), access control mechanisms (like electronic badge readers, biometric scanners, and turnstiles), intrusion detection technologies (motion and infrared sensors), and response protocols (including alarms, security personnel, and contingency plans), all designed to deter, detect, delay, and respond to unauthorized access or potential threats.

This reading is aimed at both curious IT professionals and red teamers who are new to this field. Our goal is to share insights from our own experiences, clear up common misconceptions, and encourage a mindset shift toward taking physical security threats more seriously.

1.1 – Why Physical Security Matter

Physical security assessments address a critical, yet frequently overlooked area of an organization’s overall security posture. In this section, we aim to highlight the importance of these assessments by examining key issues and challenges.

Many organizations, including those responsible for critical infrastructure, tend to prioritize cybersecurity while underestimating physical threats, not realizing the significant risks at that level. As a result, the physical perimeter is significantly less protected than the digital one, up to the point where threat actors might find it easier to breach the physical perimeter in order to establish access to the internal systems.

Additionally, unlike the fast-paced evolution of cybersecurity technologies, physical security tends to advance more slowly, leaving gaps that attackers can exploit. Needless to say, the physical perimeter is part of almost every company, but few are really aware of their security standpoint.

Moreover, physical security assessments cannot be replaced by automated scans or tools, nor they can be conducted remotely. They require on-site presence, hands-on analysis and direct interaction with the target environment.

These factors underscore the importance of investing in physical security and the need for comprehensive assessments. This is particularly relevant for clients who have never conducted such testing before, especially those operating within – or connected to – critical infrastructures.

With the upcoming introduction of new regulations such as DORA and CER, it’s become essential to address these topics, as part of a broader compliance and resilience strategy. In our view, open discussions around this subject help ensure that all stakeholders are better prepared, and more aware of the physical threat landscape.

 

The ICT risk management framework shall include at least strategies, policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all information assets and ICT assets, including computer software, hardware, servers, as well as to protect all relevant physical components and infrastructures, such as premises, data centres and sensitive designated areas, to ensure that all information assets and ICT assets are adequately protected from risks including damage and unauthorised access or usage.

                                                                      DORA, Section II, Article 6

The rest of this blog post outlines some of the key challenges we’ve encountered and offers practical suggestions based on our experience in this field.

1.2 – Companies Awareness and Understanding

Despite the critical nature of physical security, convincing clients of its importance remains probably the greatest challenge. Many companies lack awareness of the full scope of potential risks, and while they may recognize the need for security tests, they often misidentify the type of assessment required. From our experience, they are often unaware of the risks until they are presented with demonstrations of the attack techniques that could be used to compromise their security.

Under these circumstances, our role should not only be to bring technical expertise but also to deeply understand our clients’ specific needs and the most relevant threats to their operations. In other words, in certain situations, this type of activity might provide a significant added value beyond traditional cybersecurity services, and should be discussed with the client. For instance, we should recommend a physical security assessment to a client, if we believe that threats to the physical perimeter present a more immediate or tangible risk than those targeting the digital perimeter (which is typically far more protected). Furthermore, there might be situations where physical security assessments could be combined with tests on the technological perimeters to provide a more holistic approach.

A rule of thumb to tell whether a company may benefit from a physical security assessment could be if any of the following apply:

• It operates from a physical location with employee workstations, internal network cabling, and on-site servers.

• A delayed detection of an intrusion could result in reputational harm (e.g., data breaches, unauthorized surveillance) or financial losses (e.g., theft of equipment, products, or sensitive information).

• The company is involved in delivering or managing critical services, such as public infrastructure, telecommunications, law enforcement, healthcare, or financial systems.

• Physical security measures installed by the vendor have never been assessed by a third party.

• Structural changes to physical access procedures or access control systems have recently been performed/planned.

As you might have guessed, according to the conditions above, the list of companies which might need to test their physical perimeter is quite long.

1.3 – Services: Standard VS Advanced

Not all companies have the same needs (or are on the same level of maturity) when it comes to physical security. Just as you wouldn’t propose a red teaming exercise to a company who has never undergone a vulnerability assessment in the cyber domain, the same principle applies here.

To align with the maturity level of a client’s physical security, we have defined two distinct types of assessments:

1.3.1 – Standard

This approach involves open, collaborative testing, where we conduct a comprehensive evaluation of the physical security perimeter. The goal is to identify and, where possible, exploit vulnerabilities across the target premises. This standard assessment is similar to a traditional penetration test, where every effort is made to identify weaknesses in an open and transparent manner. In this case, the client is actively involved, and the assessment aims to uncover all relevant security gaps. Clients are typically encouraged to give us the broadest possible access to the physical site to ensure a thorough review. For clients who are new to physical security assessments or have limited experience, this option would be the most appropriate.

1.3.2 – Advanced

The focus of this activity is to emulate a sophisticated external threat attempting to breach the premises, by conducting a realistic attack scenario through a physical “red team” approach. This activity is more focused and targeted, and typically conducted after an initial intelligence-gathering phase. The aim is to evaluate the effectiveness of the physical security of the target company at preventing the team from reaching an objective agreed upon with the client, by exploiting vulnerabilities identified in early recon phases. This attack is performed without the client providing access or any detailed information on the premises beforehand. As you might have guessed, this approach is best suited for clients with robust physical security measures and a proven track record of prior assessments.

The following table summarizes the two services:

Assessment Category	Client Maturity	Covert	Recon Phase	Objective	Access Provided	Vulnerability Exploitation
Standard	Low	NO	NO	Detect and exploit all possible vulnerabilities	YES	YES
Advanced	High	YES	YES	Agreed upon with the client	NO	YES

 

In the following sections we will focus on our approach for delivering standard assessments.

2 – Getting Started

The skills needed for this type of work are not innate; they must be acquired through study, hands-on training, and experience. It’s hard to imagine this kind of service being delivered effectively without proper training. Moreover, gaining the necessary expertise independently can be challenging, as relevant online resources are limited and often require a significant time investment. Before launching this type of service, it’s indeed highly recommended to train at least a few team members.

With this in mind, it’s important to identify a group of motivated and interested individuals. Not everyone might want to be involved in this type of project, even though the skills related to physical security are diverse and applicable across various areas.

Several specialized courses are available to help you gain the necessary skills for this profession; we just mention a few training company we are currently aware of:

•     Red Team Alliance (https://shop.redteamalliance.com/)
•     Covert Access Team (https://www.covertaccessteam.com/covert-access-training-course)
•     Red Teamers Academy (https://redteamers.academy/index.html)

Additional training opportunities may arise through conferences or workshops, so it’s worth staying alert to these events.

Enrolling in a dedicated course not only teaches you the techniques, but also provides a structured framework for applying them. These courses offer more than just skills—they cultivate a mindset. You’ll learn how to methodically analyze images or videos to spot potential vulnerabilities, and develop the ability to organize and execute a well-thought-out engagement strategy within a team.

Having a detailed list of tests, areas of interest to focus on, or a structured breakdown of testing types can be incredibly helpful on its own. Moreover, the courses are surprisingly realistic in terms of the technologies and environments they cover, giving you a true-to-life perspective on what to expect.

By the time you complete a hands-on course, you’ll be adequately prepared for audits and engagements. While the learning process doesn’t stop there, these foundational courses equip you with a solid base, and further development comes with experience.

3 – Ocean’s 101: The Planning Phase

Assuming that a dedicated team has already been assembled and trained for these activities, we move on to the planning phase and the specific tests that need to be carried out.

3.1 – Time Frame

A typical physical security assessment, when conducted overtly, generally takes a team of at least two members around five days per target building. However, this is an estimate, and actual time requirements may vary based on the specifics of the scenario. From our experience, it’s crucial not to underestimate the time and effort needed. We therefore recommend allotting five days per building, with a two-person team to ensure a thorough assessment. In some cases, testing may need to be adjusted or even skipped, depending on the situation.

The involvement of two team member is essential, at least for the first engagements—not only for efficiently parallelizing tasks (such situations are relatively rare, especially if the team is not experienced) or to perform attacks that require two actors, but also for accurately documenting findings (one team member is responsible for collecting evidence while the other carries out the attack) and for a balanced equipment distrubution (this will be discussed in further detail later on). A physical security assessment, unlike the average cyber security consultant job, often require a lot of physical activity (no pun intended), and the time spent in front of a computer is minimal if you are well-organized and prepared. Having said that, make sure to wear comfortable shoes and be ready to stay active for several days. Slow down the pace if you feel like, expecially if you are exhausted mid-engagement and you have completed most of the audits.

 

3.2 – Checklist

Creating a solid checklist is key to a successful assessment. Unfortunately, there is no recognized standard guidelines for the checklist. You can start with a basic list from online sources, just like we did, but a good checklist should be continuously refined and tailored as you gain more experience.

To save time before the engagement, you can conduct a preliminary review of the target remotely, using satellite images, maps, and basically any kind of information collected from OSINT. Use a preliminary interview with the client to make sure to understand their top concerns, as well as to obtain information on the technologies and brands installed to protect the physical perimeter.

Once you have a clear understanding of the target, develop a schedule for the tests to be conducted over the planned days of the assessment. This schedule will help you track progress and identify any unforeseen challenges as they arise. It’s also essential to have a contingency plan in place to address any unexpected issues.

Notice that this type of engagement typically requires the constant presence of a designated contact from the client side, who will accompany you through the testing phases and authorize any actions, such as simulated attacks. However, be aware that the said person might not have access to all areas of the premises or may not be available during every phase of the assessment.

To avoid delays or disruptions, coordinate the schedule with the contact person as early as possible.

It would also be helpful to have a contact from the company that installed the physical security solutions at the client site, available to address any technical questions.

Prioritize tests that are most critical or where vulnerabilities are likely exploitable, ensuring that the most impactful risks are addressed first.

4 – Tools Of The Trade

As you might have noticed, physical security assessments are highly hands-on activities. Whenever possible and permitted by the client, vulnerabilities should be actively tested to demonstrate the potential risks, and ultimately to improve the team skills in a safe environment. However, this may not always be feasible if you don’t have the appropriate tools on hand. Therefore, it’s important to bring to engagements as many devices and materials as your budget allows.

The recommended equipment for these activities is quite extensive. If you’re just starting, we suggest the following essentials:

•     Lock Picking Set: at least one basic lock picking kit. Nothing fancy is required, as long as you have a wide range of tools, such as rakes, tension tools and hooks. While you may not have time to use it in every assessment, it’s better to have it available just in case. You are unlikely to find yourself lockpicking in an overt activity, but it is always a good habit to be prepared.
•     Door Bypass Tools: plastic shims are among the most compact, inexpensive, and convenient items for bypassing doors. They can be supplemented with lifters with an handle for shimming (useful for creating space by pushing the door). A traveler hook will work just fine, but a quick jim is recommended as well for its versatility.
•     Magnets for Alarm Bypass: you should have a variety of magnets, including at least one large magnet with an ON/OFF switch. For example, we normally carry a magnet with a 300 kg pull-out force, since from our experience it is ideal for reaching the magnetic sensor on the other side of alarmed doors. Also, consider having small magnets for persistent alarms deactivation.
•     Screwdrivers: a set of screwdrivers is essential for working on doors, locks, and devices. Additionally, have a set of precision screwdrivers on hand for working with disassembled electronic devices.
•     Under-Door Attack: you’ll just need an under-door tool, but to make your life easier it can also be helpful to have a small pump, a pry bar, and a borescope (you can find even some that connect directly to your mobile phone). Keep in mind that this attack requires some preparation and is particularly useful in high-security environments where other bypass techniques may fail.
•     Compressed Air Can: these can be used to mess with REX sensors.
•     Badge Cloning and Credential Interception Tools: if you’re on a budget, tools like the Flipper Zero can help you clone RFID credentials, among many other functionalities they are equipped with. If you are interested in more advanced protocol analysis or reverse engineering, the Proxmark is the standard tool, and you could also find cheaper alternatives to the official one. However, if money is not a concern and you are looking for something that works out-of-the-box, you should look for the iCopy (easy-to-use, fast badge cloning).
•     Video Recording Equipment: a recording device is crucial for capturing proof of concept (PoC) evidences to share with the client. An action camera with a chest-mount or head-mount is highly recommended, as it allows you to keep your hands free during the execution of the attack. Otherwise, if you just need to collect evidences, a mobile phone is also a good option.
•     De-authentication Devices: an Alpha antenna or similar device is good at de-authenticating wireless devices. You can get one of those your company uses for Wi-Fi assessments to save money. If you are looking for a tool specific for de-authentication there might be cheaper and more portable solutions as well.

Some of the general purpose elements (screwdrivers, plastic shims, magnets, compressed air cans, …) of the above list can be easily found in local hardware stores, but also online on Amazon, eBay or even AliExpress.

When it comes to buying specialized covert entry tools, if your company is based in Europe, we suggest to always prefer European providers. If you buy from an US based store you will be charged custom taxes on top of the shipping amount.

As final consideration, it’s essential to organize your equipment efficiently. We thus recommend separating tools into different bags to ensure ease of access and also to prevent damage. For instance, keep magnets away from electronic equipment (such as the Proxmark, iCopy, etc.), and store hardware such as prybars, but also shimming or hooking tools in a separate container. This organization makes it easier to divide the equipment among team members and ensures that you only bring what is needed for the day’s planned tests.

5 – Testing Phase

In this section, we provide guidance on effectively managing the testing phase. As a form of exercise to gain experience, it’s advisable to carry out as many tests as possible, using the tools available on-site. In agreement with the contact person, you can also incorporate basic social engineering tactics, such as attempting tailgating or crafting a story to gain access to classified business information or even to clone employee badges.

We are not discussing covert engagements here, meaning you don’t need to operate in complete stealth. However, the controlled environment of these activities offers a valuable opportunity to simulate scenarios that are more typical of covert operations. For example, we can use this setting to assess potential gaps in employee training, test how staff might respond to attacks like tailgating, or attempt direct interactions with employees to observe vulnerabilities in their awareness and behavior.

To make the assessment as realistic as possible, certain tests can be conducted without pre-alerting staff, provided this approach is pre-approved by the contact person and, if needed, the staff manager, to evaluate how employees react to unanticipated security challenges.

When it comes to the hands-on part, the testing should be thorough and reflective of the overall security posture of the target. For instance, when attempting door bypasses, it’s unnecessary to check every door in the building—simply test a representative sample of each door type. If specific doors are installed in areas like offices, meeting or training rooms, it’s best to conduct tests in unoccupied or low-traffic areas to minimize bothering the staff.

In some cases, testing may be replaced by interviews with staff—such as front desk personnel, security guards, or other security staff—which help identify gaps in procedures. These interviews can provide valuable insights into vulnerabilities that may not be directly observable or others that require special authorization from the client. In these situations, it’s important to document how the vulnerabilities were identified—whether they were discovered through direct testing or reported by the personnel.

6 – Evidence Collection Phase

As previously mentioned in the planning section, certain tests may not be repeatable, and some areas may only be accessible under specific conditions. Due to time constraints and the nature of physical security assessments, it’s crucial to document all evidence and attacks in detail to avoid the need for retesting.

Unlike in cybersecurity, where evidence collection is often (with exceptions, of course) straightforward—such as capturing a screenshot of a web vulnerability from BurpSuite—documenting physical security vulnerabilities can be less intuitive.

We didn’t find one best approach for reporting vulnerabilities; instead, we believe that the method should be tailored to the specific circumstances.

For some physical security vulnerabilities, simply taking static images might not be sufficient, as they often fail to capture the full scope of the issue. In many cases, extracting a sequence of frames from a video may be necessary to represent dynamic situations or actions in a deliverable format.

Metadata from photos taken using a phone can help reconstruct the sequence of events (they can be used to rearrange the evidences but also to know when a certain test was done) and videos of attacks can provide valuable visual evidence for the client when presenting the findings.

There may also be scenarios where visual evidence isn’t possible, such as during staff interviews or social engineering tests. In these cases, it’s essential to transcribe the conversation and organize it into a clear, structured visual format, such as a comic bubbles dialogue, in order to highlight key points.

At the end of the on-site activity, you should annotate the evidences and the corresponding tests. This mapping will help ensure that, when writing your report, you can clearly identify the vulnerabilities and associate them with the relevant findings.

7 – Reporting Phase

7.1 – Physical Vulnerability Scoring System (PVSS)

Currently, there is no universally recognized standard to define and categorize physical security vulnerabilities. In our approach, we started considering the notes and evidences taken relative to the tests performed, to get an indication of the issues.  By abstracting these findings from their specific assessment contexts, we aimed to create a set of reusable vulnerabilities that can be applied in future engagements.

We’ve also developed a system, conveniently named Physical Vulnerability Scoring System (PVSS), for calculating the severity of physical security vulnerabilities. Our metric is loosely based on the CVSS4 standard, with several modifications to better fit the physical security domain. We made some changes in the factors affecting the likelihood of an attack being executed, but the impact as defined in the CVSS4 is left unchanged. For example, in our scoring system, the Attack Vector (AV) is omitted: all of the identified vulnerabilities require an attacker to be physically present in order to perform the attack, which in turn lowers the severity score under the traditional CVSS4 framework. Instead of the AV, we introduce a Vulnerability Detection (VD) factor, which classifies the reconnaissance required to detect the vulnerability:

•     Long Range (L): The vulnerability can be detected from a distance without the risk of detection.
•     Short Range (S): The vulnerability can be detected by an attacker near the perimeter.
•     Embedded (E): Detection requires direct access to the perimeter, which could be partially accessible to the public, restricted to employees, or an access-restricted area.

In a physical exploitation, unlike in the cyber domain, where it is extremely easy to hide the attacker identity behind a VPN or other shenanigans, the Detection Likelihood (DL) factor becomes critical. This factor assesses whether the attack exploiting the vulnerability could be conducted covertly or overtly. The lower the likelihood of detection, the more feasible the attack could be. In contrast, in digital scenarios, the likelihood of detection of the attack (e.g., an XSS payload detected by a Web Application Firewall) does not necessarily reduce the likelihood of executing the attack.

Finally, we also consider the destructiveness of the attack, not in terms of potential disruptions to operations (which are considered under the Availability impact), but with regard to the means of executing the attack.  A destructive operation is likely noisy and might require bulkier tools, therefore it lowers the chances of conducting the attack in general. When profiling the threat keep in mind that a highly sophisticated threat actor would leave behind very few evidences of an attack, while an improvised low-skilled attacker might not have this thoughtfulness.

To summarize, the score calculator is based on the following indicators:

• Vulnerability Detection (VD)  // custom
• Privileges Required (PR)
• Social Engineering (SE) // custom
• Attack Complexity (AC)
• Attack Requirements (AT)
• Detection Likelihood (DL)  // custom
• Destructive Exploitation Method (DE)  // custom
• Violation of Confidentiality (VC)
• Violation of Integrity (VI)
• Violation of Availability (VA)
• Subsequent Confidentiality (SC)
• Subsequent Integrity (SI)
• Subsequent Availability (SA)

All the above factors are later combined together into some expressions that define the final score.

Overall, this score calculator is still a work in progress, even though we are currently adopting it and refining it along with our experience.

7.2 – Attack Scenarios

The final report, in our view, should not only include a comprehensive list of identified vulnerabilities but, whenever possible, also outline potential attack scenarios that could arise from combining these vulnerabilities. This part of the deliverable material helps to illustrate the real-world risks the client faces, by demonstrating how an attacker might concatenate multiple vulnerabilities in sequence to gain unauthorized access or cause harm.

There should also be a classification between various types of identified scenarios. These can be broadly categorized into two main types: external threats and insider threats. The former involves attackers from outside the organization, with no level of access, and often representing a broader spectrum of potential adversaries. The latter, on the other hand, refers to attacks originating from within the organization—such as employees or third parties—who have some level of access to the perimeter or anybody that have somehow managed to bypass external security measures. Ideally, a level of complexity should be assigned to each scenario, in order to prioritize and correctly address those associated with lowest complexity.

Presenting these findings in the report might be done with the help of PoC videos, thus making them easier for stakeholders, such as facility managers or security personnel, to understand. This clarity is essential for ensuring that the risk is fully comprehended and addressed in a timely manner.

8 – Conclusions

In this blog post, we explored some common pitfalls that lead to the underestimation of the physical perimeter—an often-overlooked aspect of every organization’s security posture. Our focus was on conducting a standard (non-covert) assessment, offering practical guidance on how to train a team, plan the assessment effectively, and handle tasks efficiently.

We outlined a list of essential equipment needed to perform initial evaluations and provided suggestions on where some of these tools could be sourced. Additionally, we offered recommendations on key tests to include, strategies for gaining hands-on experience in the field, and techniques for collecting valuable evidences during assessments.

We also introduced a custom method for assessing the severity of physical vulnerabilities—developed in response to gaps in the CVSS4 standard—and emphasized the importance of presenting findings through detailed attack scenarios to better illustrate real-world impact.

In conclusion, physical security is often underestimated, even though it plays a fundamental role in protecting organizations. Too often, we encounter situations where there is a complete lack of risk awareness: in these cases, people fail to adopt any security measures, are unable to recognize threats, and even when investments are made, they tend to focus almost exclusively on the cyber realm, completely neglecting the physical component.

In other cases, although technologies and defensive measures have been implemented, there has been no real assessment of their effectiveness or correct installation. This leads to a false sense of security, which can be just as dangerous as having no defenses at all.

Finally, even when investments are made to ensure that technologies function optimally, a crucial element is often overlooked: people’s preparedness. Just as in the cyber world, in physical security employees must be trained to recognize and respond to threats such as social engineering or the risk posed by behaviors that could endanger the entire organization.

Only through an integrated approach—combining technology, critical evaluation, and staff training—can we build a truly effective and resilient defense.

---

Authors

Jacopo Talamini is a member of Yarix Red Team. He is a former PhD student and a hacker wannabe who enjoys reading assembly code.

Alessandro Albani is a member of Yarix Red Team. He is a tech enthusiast who loves fiddling with electronic gadgets. When not behind a screen, he’s likely jamming out to his favorite tunes or juggling one of his many other hobbies (more than can be reasonably listed).

Luca Barbieri is a Red Team member and has a soft spot for all things hackable. When he’s not busy poking at systems, he’s probably flying drones, deep into a CTF, or gaming into the night. Fuelled by strong coffee and harder challenges – it’s all part of the fun.