Recon & Threat Modeling

Good physical operators do not start with a pick or cloned badge. They start with routes, routines, people, and pressure points. Reconnaissance is where you convert a site into an attack path map and a defensive control map at the same time.

Recon Still Requires Scope Discipline

Photography, vehicle observation, badge-reader inspection, and after-hours pattern collection can all create friction if your rules of engagement are vague. Make sure the client has agreed to the hours, the perimeter, and any restrictions around employees, parking, or third-party tenants.

Recon Objectives

Find Viable Entry Paths

• Public lobby and reception routes
• Employee-only doors, loading docks, and side entrances
• Smoke-break clusters, parking flows, and shift-change chokepoints
• Doors where convenience beats policy

Map Defender Visibility

• Camera placement, PTZ sweep habits, and likely blind spots
• Guard lines of sight and patrol windows
• Reception desk coverage versus actual door activity
• Alarmed versus merely locked doors

Profile the Human System

• Visitor check-in quality and badge issuance habits
• Contractor normalization and vendor trust levels
• Challenge culture around tailgating and wrong-floor presence
• Employee use of stairs, elevators, and shared entrances

Identify Post-Entry Objectives

• Network drops and conference-room gear
• Badge-printing areas and security offices
• Telecom closets, IDF rooms, and unattended workstations
• Executive floors, labs, and document-heavy zones

Patterns of Life

The strongest physical findings usually come from understanding how the building behaves over time. Observe where convenience overrides control: lunch rushes, shift changes, deliveries, cleaners, and late arrivals are where people and process drift first.

Simple physical threat model: routes, trust transitions, and post-entry objectives

flowchart LR A[Public Space] --> B[Lobby / Reception] B --> C[Badge Door] C --> D[Workspace] D --> E[Critical Area] F[Loading Dock] --> D G[Smoke Break] --> C H[Visitor Check-In] --> B I[Stairwell / Side Entry] --> D C --> J[Challenge or No Challenge] D --> K[Escort or No Escort] E --> L[Objective Achieved]

Recon Checklist

Phase	What To Capture	Why It Matters
OSINT	Maps, staff names, vendors, social posts, security job listings, tenant directories	Build believable pretexts and identify likely controls before you arrive
Exterior Walk	Camera positions, badge readers, side doors, guard behavior, smoking areas, deliveries	Shows which routes are watched, ignored, or normalized
Timing Pass	Lunch flow, shift change, cleaners, reception load, parking churn	Identifies when social friction and scrutiny are lowest
Post-Entry Planning	Network drops, printer clusters, badge stock, stairwells, telecom closets, boardrooms	Prevents aimless wandering and reduces unnecessary exposure once inside

Rapid Threat Model Notes

physical-threat-model.txt

text

target: downtown office, 3 floors, reception desk, garage access, shared tenant lobby

entry path 1: visitor pretext
- likely route: reception -> temporary pass -> elevator -> unescorted floor access
- assumptions: receptionist is overloaded at 8:30-9:15, no secondary ID verification
- detection points: front desk, elevator camera, floor manager challenge

entry path 2: lunch-rush tailgate
- likely route: side badge door -> open office floor -> conference area
- assumptions: employees carry food / laptops and hold the door
- detection points: badge-door anti-passback, nearby camera, challenge culture

entry path 3: credential attack
- likely route: weak 125 kHz credential cloned -> badge door -> telecom closet
- assumptions: legacy badge tech, reader cable exposed, no escort rules after-hours
- detection points: access logs, door-held-open alerts, SOC review cadence

objective after entry:
- prove access to internal network drop and sensitive floor without causing damage
- capture minimal evidence: route, timestamps, camera gaps, challenge failures, target room photo
target: downtown office, 3 floors, reception desk, garage access, shared tenant lobby

entry path 1: visitor pretext
- likely route: reception -> temporary pass -> elevator -> unescorted floor access
- assumptions: receptionist is overloaded at 8:30-9:15, no secondary ID verification
- detection points: front desk, elevator camera, floor manager challenge

entry path 2: lunch-rush tailgate
- likely route: side badge door -> open office floor -> conference area
- assumptions: employees carry food / laptops and hold the door
- detection points: badge-door anti-passback, nearby camera, challenge culture

entry path 3: credential attack
- likely route: weak 125 kHz credential cloned -> badge door -> telecom closet
- assumptions: legacy badge tech, reader cable exposed, no escort rules after-hours
- detection points: access logs, door-held-open alerts, SOC review cadence

objective after entry:
- prove access to internal network drop and sensitive floor without causing damage
- capture minimal evidence: route, timestamps, camera gaps, challenge failures, target room photo

What Strong Defenders Do Differently

Defensive Signals

• Reception can see and influence the badge-controlled choke point
• Visitors are verified, logged, and visibly escorted
• Cameras cover the approach to sensitive areas, not just the front door
• Side entrances behave like security boundaries, not convenience paths

High-Risk Signals

• Badge readers exist but people routinely hold the door anyway
• Cameras are present but obviously miss the actual route into secure areas
• Employees wear badges inconsistently or display them clearly enough to photograph
• Contractors and delivery staff move unchallenged after the first threshold