Complete Guide

⚡ Intermediate

Refreshed: March 2026

Physical Security & Offensive Entry

This section treats physical security like a modern attack surface, not a nostalgia niche. By the end, you should be able to scope a lawful on-site engagement, map facility attack paths, evaluate access-control architecture, run offensive entry tradecraft, validate surveillance coverage, and deliver remediation that makes sense to security operations, facilities teams, and leadership. The offensive material stays here on purpose, but it is now wrapped in stronger assessment methodology.

Why This Section Matters Now

Modern facilities blend badging, cloud-managed access control, visitor tablets, biometrics, cameras, SaaS alerting, and hybrid office patterns. A strong physical assessment now has to cover both old-school offensive entry and the modern control plane that decides who gets challenged, logged, and investigated.

Technology Shifts That Change Assessments

Mobile credentials, OSDP Secure Channel, cloud-managed access systems, and AI-assisted surveillance increasingly sit beside legacy Wiegand readers, weak visitor processes, and unchanged human habits. This guide keeps the offensive techniques, but updates the section so findings can be mapped to current designs and standards.

Assessment Tiers

Use these tiers to decide how far you need to go. Not every office needs covert entry against maglocks, but every client should understand where visitor controls, surveillance, and access architecture actually break.

TIER 1 Office / Branch Site

Reception desk, badge readers, shared workspace, conference rooms, and standard camera coverage.

• Sections 01-02: recon, threat modeling, visitor and social workflow testing
• Sections 04 and 06: access control validation and reporting
• Optional offensive track: sections 03, 08, and 09

TIER 2 Campus / Mixed Operations

Multiple buildings, loading docks, contractor flows, security staff, network closets, and surveillance blind-spot problems.

• All Tier 1 work, plus sections 05, 07, and 10
• Validate device implant risk, RF paths, and surveillance architecture
• Treat human behavior and camera placement as one control system

TIER 3 Critical / Regulated Facility

Data centers, healthcare, industrial environments, executive spaces, or sites with biometrics, guards, and formal audit obligations.

• All Tier 2 work, plus sections 11-12 for standards and playbooks
• Stronger legal, safety, and emergency coordination requirements
• Findings must map cleanly to auditors, facilities, and security ops

What You Will Learn

Reconnaissance, patterns of life, and physical threat modeling that produce credible attack paths instead of random door testing

Offensive entry via social engineering, lock and latch bypass, badge attacks, portable RF tooling, and covert post-entry tradecraft

How to evaluate access-control architecture, mobile credentials, Wiegand-to-OSDP migration, and weak reader placement

Camera, biometric, and response workflow validation using both on-site observation and supporting tools

Objective-driven post-entry actions such as rogue devices, workstation access, and evidence collection without losing sight of scope

How to translate findings into standards-aligned recommendations, playbooks, and executive-ready reporting

Prerequisites

Legal and Safety Baseline

• Written authorization with clear timing, scope, and emergency contacts
• No ambiguity around police, guards, life-safety systems, or after-hours rules
• Explicit agreement on impersonation boundaries and prohibited roles

Operator Readiness

• Comfort with OSINT, note-taking, timekeeping, and evidence hygiene
• Basic understanding of access control, cameras, and workstation/network objectives
• Ability to stop when scope, safety, or law enforcement posture changes

Recommended Context

• Read OSINT first for personnel and facility profiling
• Pair this section with Wireless Pentesting for RF-heavy sites
• Keep Legal Compliance open if this is your first on-site engagement

How To Use This Section

Consultants

Move from sections 01 through 06 in order. That gives you a repeatable assessment workflow before you escalate into specialized offensive tradecraft.

Red Teamers

Use sections 01-02 for reconnaissance and persona prep, then live in 03, 04, 07, 08, and 09. Section 05 keeps the post-entry actions objective-driven instead of opportunistic.

Defenders / Facilities

Focus on 01, 02, 04, 06, 10, and 11 to understand why badging, visitor control, surveillance, and reporting often fail as a connected system.

Start with Recon & Threat Modeling Jump to the Offensive RF Track

Methodology Overview

Perimeter

Access Control

Interior

Sensitive Area

Objective

Cameras & CCTV

Badges & Readers

Guards & Escorts

Alarms & Sensors

Locks & Barriers

Recon & OSINT

Social Engineering

Bypass & Covert

Implant & Post-Ex

Evidence & Report

Assessment FlowDefensive ControlsOperator Techniques

From authorization to offensive entry to standards-aligned reporting

flowchart LR A[Authorization and Safety] --> B[Recon and Threat Model] B --> C[Visitor and Badge Workflow Testing] C --> D[Mechanical and Electronic Entry Paths] D --> E[On-Site Objectives and Rogue Devices] E --> F[Surveillance and Response Validation] F --> G[Evidence and Reporting] B --> H[Patterns of Life] C --> I[Social Engineering] D --> J[Offensive Tradecraft] F --> K[Standards Mapping] G --> L[Remediation Playbook]

Quick Start: Assess a Corporate Office in 15 Minutes

If you need a practical entry point, use this mini flow to sanity-check a facility before you go deeper. It keeps the offensive mindset, but forces you to observe the whole control system instead of fixating on the first unlocked door.

office-physical-assessment.txt

text

site: Corporate office with lobby, badge readers, cameras, and standard workstation footprint

1. Start outside
   - Count public entrances, delivery entrances, and smoking / break areas
   - Identify camera coverage, guard posture, and likely blind spots
   - Note whether reception can see the primary badge-controlled doors

2. Threat-model the first three realistic attack paths
   - Tailgate behind a lunch crowd
   - Pretext through reception as contractor or visitor
   - Clone or emulate a credential if the site uses weak badge tech

3. Validate the control chain
   - Does reception verify identity or only issue a temporary pass?
   - Are visitors escorted?
   - Are doors anti-passback, monitored, and alarmed?
   - Do cameras actually cover the route to sensitive rooms?

4. If entry succeeds, stay objective-driven
   - Identify exposed workstations, network drops, badge stock, and server / telecom rooms
   - Decide whether a rogue device, photo evidence, or minimal proof-of-access is enough

5. Write the finding in control language
   - What failed first: people, process, hardware, or monitoring?
   - What would have detected or interrupted the route?
   - Which standard or policy requirement does it violate?
site: Corporate office with lobby, badge readers, cameras, and standard workstation footprint

1. Start outside
   - Count public entrances, delivery entrances, and smoking / break areas
   - Identify camera coverage, guard posture, and likely blind spots
   - Note whether reception can see the primary badge-controlled doors

2. Threat-model the first three realistic attack paths
   - Tailgate behind a lunch crowd
   - Pretext through reception as contractor or visitor
   - Clone or emulate a credential if the site uses weak badge tech

3. Validate the control chain
   - Does reception verify identity or only issue a temporary pass?
   - Are visitors escorted?
   - Are doors anti-passback, monitored, and alarmed?
   - Do cameras actually cover the route to sensitive rooms?

4. If entry succeeds, stay objective-driven
   - Identify exposed workstations, network drops, badge stock, and server / telecom rooms
   - Decide whether a rogue device, photo evidence, or minimal proof-of-access is enough

5. Write the finding in control language
   - What failed first: people, process, hardware, or monitoring?
   - What would have detected or interrupted the route?
   - Which standard or policy requirement does it violate?

Physical Security Stack (2026)

Tool / Resource	Category	Best For	Integration
Proxmark3	Badge / RFID	Low- and high-frequency credential analysis, dumps, and cloning workflows	Badge attacks, reader baselines, mobile credential migration checks
Flipper Zero	Portable RF Ops	Field-ready RFID, Sub-GHz, infrared, and BadUSB testing	Portable on-site assessments and rapid validation
HackRF One	RF Analysis	Wide-spectrum signal work where handheld tools are not enough	Garage gates, wireless sensors, and spectrum analysis
Camera Coverage Planner	Surveillance Validation	Coverage zones, blind spots, and route analysis	Interactive planning during surveillance reviews
Biometric Defense Evaluator	Biometric Testing	Face, gait, and voice checkpoint evaluation	Biometric validation, anti-spoofing awareness
LAN Turtle / Shark Jack	Implants	Rapid internal footholds after physical entry	Network drop validation and segmentation testing
O.MG Cable / Hardware Keylogger	Device Access	Short-duration workstation and conference-room tradecraft	Objective-based post-entry actions
Reporting Templates	Delivery	Executive writeups, evidence structure, and severity normalization	Use with the documentation chapter and report-builder workflow

Why The Offensive Tools Still Matter Here

This refresh does not sanitize the section. It makes the offensive content more useful by connecting lock, badge, RF, and covert-entry techniques to facility design, surveillance coverage, and evidence-driven reporting.

Guide Sections

Recon & Threat Modeling

Map facility attack paths, people flow, security layers, and defender routines before you ever touch a badge reader or door.

OSINT • Site walks • Patterns of life • Attack paths

Visitor Controls & Social Engineering

Test reception workflows, escort rules, challenge culture, and pretexts that determine whether unauthorized people get normalized.

Pretexts • Visitor logs • Call-backs • Challenge culture

Locks, Doors & Bypass

Keep the offensive heart of the section: pick, shim, bypass, and assess mechanical controls without losing sight of what defenders should fix first.

Lock picking • Latch bypass • Door hardware • Non-destructive entry

RFID & Access Control

Cover badge cloning, mobile credentials, Wiegand-to-OSDP migration, reader placement, and access-control architecture weaknesses.

Proxmark3 • Mobile badges • OSDP • Reader security

Rogue Devices & Post-Exploitation

Turn entry into objective-driven access with network implants, hardware keyloggers, evil-maid workflows, and concealment-aware evidence collection.

LAN Turtle • O.MG Cable • Evil Maid • Network drops

Evidence & Reporting

Document the route, control failures, detection gaps, and remediation path clearly enough for legal, executive, and operations teams to act on.

Timelines • Photos • Severity • Reporting pack

Flipper Zero & RF Ops

Portable offensive workflows for Sub-GHz, RFID, NFC, BadUSB, infrared, and field-ready signal capture during on-site operations.

Sub-GHz • NFC • BadUSB • Firmware workflows

Tailgating & Impersonation

Pressure-test human behavior at the door with believable personas, body language, queue timing, and challenge-response observations.

Tailgating • Persona design • Props • Human factors

Covert Entry & Alarm-Aware Bypass

Advance into maglocks, REX sensors, under-door tools, and covert bypass patterns while staying anchored to scope and defender lessons.

REX • Maglocks • Under-door tools • Alarm awareness

Surveillance & Biometrics

Assess camera placement, coverage quality, ONVIF exposure, PTZ timing, biometric checkpoints, and anti-spoofing expectations.

Cameras • ONVIF • Coverage zones • Biometrics

Standards & Case Studies

Map findings to NIST CSF 2.0, ISO 27001, UL 294, OSDP, and real-world failures so recommendations land with auditors and operators.

NIST CSF 2.0 • ISO 27001 • UL 294 • OSDP

Reference Checklists & Playbooks

Use ready-made checklists, quick-start playbooks, offensive decision trees, and reporting scaffolds to run repeatable physical engagements.

ROE • Checklists • Playbooks • Templates

Quick Reference

Core Principles

• Threat-model the route before you test the route
• Keep offensive activity tied to an agreed objective, not curiosity
• Measure people, process, hardware, and monitoring as one system
• Document what would have interrupted the attack path earliest

Current Standards and References

• NIST CSF 2.0 - Govern, Protect, Detect, and response mapping
• ISO 27001 / 27002 - physical perimeters, monitoring, and media handling
• UL 294 - access-control hardware assurance and deployment quality
• OSDP Secure Channel - modern replacement for exposed Wiegand links

Ready to Begin?

Start with reconnaissance to map the facility like an attacker, move into visitor and access-control testing, and then choose how deep you need to go into bypass, RF tooling, rogue devices, surveillance, and standards alignment.

Start the Guide

📚 Recommended Reading

Unauthorized Access: Physical Penetration Testing for IT Security Teams

Wil Allsopp (2009)

The definitive guide to physical intrusion testing — covers lock bypass, access control defeat, social engineering pretexts, covert entry, and professional reporting for red teams.