Section 12
⚡ Intermediate
Reference Checklists & Playbooks
This section turns the guide into an operational kit. Use these checklists before, during, and after the engagement so your physical testing stays repeatable, scoped, and useful even when the site, client, or objective changes.
Information
These checklists are starting points — tailor them for each engagement. Add client-specific items, remove what doesn't apply, and version-control your modified lists so they improve with every assessment.
Pre-Engagement Checklist
text
authorization
- signed rules of engagement
- explicit allowed / prohibited personas
- after-hours and law-enforcement coordination language
- emergency stop procedure and 24/7 contacts
site preparation
- target address, tenant map, and parking strategy
- floor plans or public maps if available
- staff / vendor / executive names from OSINT
- communication plan and safe words for the team
technical prep
- charge all devices and validate time sync
- prepare evidence folder structure before the engagement
- confirm what level of proof is enough: photo, badge event, workstation access, implant, or full pathauthorization
- signed rules of engagement
- explicit allowed / prohibited personas
- after-hours and law-enforcement coordination language
- emergency stop procedure and 24/7 contacts
site preparation
- target address, tenant map, and parking strategy
- floor plans or public maps if available
- staff / vendor / executive names from OSINT
- communication plan and safe words for the team
technical prep
- charge all devices and validate time sync
- prepare evidence folder structure before the engagement
- confirm what level of proof is enough: photo, badge event, workstation access, implant, or full pathRapid Office Playbook
Phase 1: Observe
- • Count entrances, cameras, and reception lines of sight
- • Identify shift or lunch pressure points
- • Choose the most credible entry route
Phase 2: Enter
- • Use the approved persona or tailgating route
- • Record the first control that grants trust
- • Stay calm and keep the story short
Phase 3: Prove
- • Capture the agreed objective evidence
- • Avoid extra movement that does not improve the finding
- • Exit cleanly and write the route while it is still fresh
Offensive Track Decision Guide
| If You See | Go To | Reason |
|---|---|---|
| Legacy 125 kHz badges, exposed readers, weak credential habits | Section 04 | Likely credential attack path with strong remediation value |
| Rushed employees, loaded hands, or weak challenge culture | Section 08 | Human friction is likely the first control to fail |
| Maglocks, REX sensors, and accessible door gaps | Section 09 | Electronic door behavior may be easier to abuse than mechanical hardware |
| Accessible conference-room ports or unattended privileged workstations | Section 05 | Entry can turn directly into internal or endpoint compromise |
Reporting Scaffold
text
1. Engagement context
- dates, location, scope, authorization summary
2. Attack path summary
- route used, key transitions, detection points missed
3. Findings
- visitor / social weaknesses
- badge / door weaknesses
- surveillance / response weaknesses
- post-entry exposure
4. Impact and likelihood
- what the tester reached
- what a malicious operator could reasonably do next
5. Recommendations
- quick wins in 30 days
- design fixes in 90 days
- program changes in 180 days
6. Evidence appendix
- sanitized photos
- timeline
- standards references1. Engagement context
- dates, location, scope, authorization summary
2. Attack path summary
- route used, key transitions, detection points missed
3. Findings
- visitor / social weaknesses
- badge / door weaknesses
- surveillance / response weaknesses
- post-entry exposure
4. Impact and likelihood
- what the tester reached
- what a malicious operator could reasonably do next
5. Recommendations
- quick wins in 30 days
- design fixes in 90 days
- program changes in 180 days
6. Evidence appendix
- sanitized photos
- timeline
- standards referencesUse The Minimum Playbook That Fits The Site
A one-office walkthrough, a multi-building campus assessment, and a regulated facility engagement should not all feel identical. Reuse the structure, but scale the offensive depth, standards mapping, and reporting pack to the environment.