Section 02
⚡ Intermediate
Visitor Controls & Social Engineering
Social engineering is still the fastest route through a locked building, but the goal is not just to get in. The goal is to measure how reception, employee behavior, contractor workflows, and escalation habits respond when a believable person asks for trust.
Stay Inside Your Authorized Persona Set
Impersonation works because organizations normalize certain roles. Your client should explicitly approve which personas are allowed and which are prohibited. Never improvise into law enforcement, medical, or government roles that were not pre-authorized.
High-Value Pretexts
Operational Roles
- IT Support - urgent printer, Wi-Fi, or badge issue tied to a named employee
- HVAC / Elevator / Pest Control - believable because they are expected to move through back-of-house areas
- Delivery / Courier - best when timed against lunch or shift transitions
- Corporate Audit - useful in office settings where people assume headquarters visibility
Workflow-Based Pretexts
- Visitor Check-In Failure - meeting changed, host is delayed, badge not yet issued
- New Employee - badge still pending, onboarding confusion, wrong floor energy
- After-Hours Cleaner / Contractor - strongest when staff are used to unfamiliar faces
- Executive Urgency - reference a senior leader only if the client has approved it
What To Assess At Reception
Process Quality
- • Is government ID checked or just glanced at?
- • Is the host contacted through a trusted number or any number you provide?
- • Does the visitor badge visibly expire or just look official?
- • Are visitors always escorted, or only in theory?
Behavioral Quality
- • Does the receptionist challenge mismatched stories?
- • Do employees reinforce or bypass the reception workflow?
- • Can an unescorted visitor simply follow ambient office motion?
- • Does anyone respond to wrong-floor or wrong-door behavior?
Challenge-Culture Tests
The best physical environments do not rely on one perfect receptionist. They create multiple opportunities for polite friction. Test whether employees, guards, and adjacent teams will question a person who looks almost right but not quite right.
| Scenario | Expected Control | What To Record |
|---|---|---|
| Visitor badge with no escort | Employee or receptionist intervenes quickly | Time to first challenge, by whom, and tone |
| Walking into a staff-only corridor | Challenge by nearby employee or access denial at the door | Whether curiosity or authority was required to stop you |
| Contractor persona without appointment clarity | Verification with known contact or work-order process | Whether the site accepted improvised details |
Phone and Desk Validation Scripts
text
goal: build enough legitimacy to open the door, not enough complexity to trap yourself
reception pretext:
"I'm here for the network closet work order that [name from OSINT] mentioned. I was told to check in here first."
if challenged for details:
- give one verifiable anchor: department, floor, vendor, or ticket type
- avoid long improvised narratives
- offer to wait while they call the point of contact
help-desk / call-back test:
"Before I head upstairs, can you confirm whether badge access is working on the third floor? I don't want to create extra churn for your team."
success criteria:
- receptionist verifies using trusted process
- employee refuses to let urgency bypass identity proofing
- site does not reward confidence alonegoal: build enough legitimacy to open the door, not enough complexity to trap yourself
reception pretext:
"I'm here for the network closet work order that [name from OSINT] mentioned. I was told to check in here first."
if challenged for details:
- give one verifiable anchor: department, floor, vendor, or ticket type
- avoid long improvised narratives
- offer to wait while they call the point of contact
help-desk / call-back test:
"Before I head upstairs, can you confirm whether badge access is working on the third floor? I don't want to create extra churn for your team."
success criteria:
- receptionist verifies using trusted process
- employee refuses to let urgency bypass identity proofing
- site does not reward confidence aloneEvidence To Collect
Capture
- • Exact words that caused trust to be granted
- • Whether identity was checked, validated, or skipped
- • Escort behavior after badge issuance
- • Number of opportunities for challenge that passed unused
Avoid
- • Naming individual employees in the final report unless the client requests it
- • Collecting unnecessary PII from badges, desks, or visitor systems
- • Escalating a persona into restricted territory the client never approved
- • Turning a test of process into an argument with front-desk staff