Physical Red Teaming | Red Teaming

Why Physical Access Matters

Every firewall, every SIEM, every zero-trust architecture becomes irrelevant the moment an attacker walks through a door and plugs into the network. Physical red teaming is the discipline of testing an organization’s real-world defenses — the locks, the guards, the cameras, the badge readers, and the human behaviors that either protect or betray the perimeter.

The principle is simple: all it takes is one door. One propped-open exit, one unquestioned tailgater, one cloned badge — and the most sophisticated digital defenses are bypassed entirely. Physical access frequently leads to domain compromise in hours, not weeks.

The Convergence of Physical and Cyber Security

For decades, physical security and information security operated as separate silos — different teams, different budgets, different reporting chains. Modern red teaming exposes this gap ruthlessly. A physical breach enables cyber objectives, and cyber reconnaissance enables physical breaches. The convergence is not theoretical; it is operational reality.

Consider a typical attack chain:

OSINT reveals the building’s badge system vendor from a job posting seeking an “HID iCLASS administrator.”
Social media geotagging shows employees badging in at a side entrance with no mantrap.
Physical reconnaissance confirms a smoking area near an unsecured door with a Proxmark-readable badge distance.
Badge cloning provides facility access within range of the target’s badge.
Network implant deployment on an unmonitored port behind the reception desk.
Remote access is established, and the red team pivots from physical to cyber operations.

This is not a contrived scenario — it is a pattern repeated across hundreds of real engagements. Organizations that test only their digital perimeter are testing less than half of their actual attack surface.

Physical red teaming is where security theater meets reality. The gap between what an organization thinks is secure and what actually is secure is often measured in propped-open doors and uncloned badges. — Common red team axiom

For more on how physical access integrates with broader red team methodology, see Red Team Fundamentals.

Physical Red Team Engagement Flow

The following diagram illustrates the standard methodology for a physical red team engagement, from initial scoping through final reporting.

flowchart TD
    A[Scoping & Authorization] --> B[OSINT & Remote Recon]
    B --> C[Physical Surveillance]
    C --> D[Attack Planning]
    D --> E{Entry Vector Selection}
    E --> F[Badge Cloning]
    E --> G[Lock Bypass]
    E --> H[Tailgating / SE]
    E --> I[Covert Entry]
    F --> J[Facility Access]
    G --> J
    H --> J
    I --> J
    J --> K[Internal Reconnaissance]
    K --> L[Rogue Device Deployment]
    K --> M[Document / Data Collection]
    K --> N[Photography & Evidence]
    L --> O[Remote Access Established]
    M --> P[Exfiltration]
    N --> P
    O --> P
    P --> Q[Reporting & Debrief]
    Q --> R[Remediation Support]

    style A fill:#1a1a2e,stroke:#e94560,color:#eee
    style J fill:#1a1a2e,stroke:#e94560,color:#eee
    style O fill:#1a1a2e,stroke:#e94560,color:#eee
    style Q fill:#1a1a2e,stroke:#e94560,color:#eee

Reconnaissance & Surveillance

Effective physical operations begin long before anyone approaches a building. Reconnaissance is the phase that separates professional red teams from reckless trespassers. The goal is to understand the target environment so thoroughly that entry feels rehearsed, not improvised.

OSINT for Physical Targets

Open-source intelligence is the foundation of physical reconnaissance. Before ever visiting a site, a red team should exhaust every remote information source available.

Google Maps & Street View:

Identify all building entrances, loading docks, and emergency exits
Assess parking structures and their access controls
Note fence lines, gate types, and perimeter barriers
Review historical Street View imagery to identify changes over time
Measure distances between observation points and target entrances

Building Plans & Public Records:

Many jurisdictions make building permits, floor plans, and fire escape routes publicly available
HVAC and electrical plans reveal drop ceiling access and cable pathways
Fire marshal inspection reports may detail alarm system configurations
Zoning applications often include detailed site plans

Social Media Geotagging:

Employees posting photos from inside the facility inadvertently reveal interior layouts, badge systems, camera positions, and security desk locations
LinkedIn profiles of security staff reveal training backgrounds and certifications
Job postings for security positions reveal the technologies in use (e.g., “Experience with Lenel OnGuard” or “Genetec Security Center administrator”)
Instagram and TikTok posts from employees frequently show badge designs, lanyards, and dress codes

Corporate Information:

Annual reports may include facility photographs
Investor presentations sometimes show data center or office layouts
Vendor relationships can be identified through procurement records
Conference presentations by facilities staff may detail security architectures

On-Site Surveillance

Once remote reconnaissance is exhausted, controlled on-site observation fills the gaps. This phase requires patience, cover stories, and careful operational security.

Perimeter Assessment:

Walk or drive the full perimeter, noting every door, window, and potential entry point
Identify camera types, angles, and blind spots — PTZ cameras vs. fixed, IR capability, dome vs. bullet
Map lighting conditions at different times of day and night
Note fence type, height, and condition (chain-link with barbed wire vs. decorative iron)
Identify any natural concealment (landscaping, dumpster enclosures, mechanical equipment)

Guard Patrol Patterns:

If uniformed security is present, observe rotation schedules and patrol routes
Note response times to observed events (doors propped open, unknown visitors)
Identify shift change times — these transitions often create windows of reduced awareness
Determine whether guards are armed, what communication equipment they carry, and their general alertness level

Employee Behavior Observation:

Which entrances do employees actually use vs. which are designated?
Do employees hold doors for strangers, or is there a culture of challenging unknown persons?
What is the dress code? Business formal, business casual, jeans and hoodies?
When do smokers congregate outside, and which doors do they prop open?
Are visitors escorted at all times, or do they roam freely after signing in?
What do employee badges look like — color, orientation, visible photo, lanyard color?

Timing Analysis:

Peak arrival and departure times (usually 7:30-9:00 and 16:30-18:00)
Lunch hour patterns and which doors see heavy traffic
After-hours activity levels — cleaning crews, late workers, security-only periods
Weekend patterns — skeleton staff, different access controls, alarm system schedules
Delivery schedules for mail, packages, food services

Badge Cloning & Access Cards

Access card systems are the primary electronic barrier to physical entry in most corporate environments. Understanding these technologies — and their weaknesses — is essential for any physical red team.

Access Card Technologies Comparison

Technology	Frequency	Security Level	Cloning Difficulty	Common Brands
125 kHz Prox	125 kHz	Very Low	Trivial — seconds with any reader/writer	HID ProxCard, EM4100, AWID
MIFARE Classic	13.56 MHz	Low	Easy — known crypto attacks (Darkside, Hardnested)	NXP MIFARE Classic 1K/4K
HID iCLASS	13.56 MHz	Low–Medium	Moderate — legacy keys are known; SE variants harder	HID iCLASS, iCLASS SE
MIFARE DESFire	13.56 MHz	Medium–High	Difficult — AES-128 encryption, diversified keys	NXP MIFARE DESFire EV1/EV2/EV3
HID SEOS	13.56 MHz	High	Very Difficult — PKI-based, secure element	HID iCLASS SE, Mobile IDs
HID Mobile	BLE / NFC	High	Very Difficult — bound to device, cloud-managed	HID Mobile Access
LEGIC Prime	13.56 MHz	Low–Medium	Moderate — proprietary but partially reversed	LEGIC
DESFire EV3	13.56 MHz	Very High	Extremely Difficult — transaction MAC, SDP	NXP DESFire EV3

125 kHz Proximity Cards

The most common — and most vulnerable — access card technology still in widespread use. HID ProxCard II and similar 125 kHz cards transmit a static credential number with zero encryption. The card simply broadcasts its ID when energized by a reader’s electromagnetic field.

Why they persist: Organizations invested heavily in 125 kHz infrastructure in the 1990s and 2000s. Replacing thousands of readers and tens of thousands of cards is expensive and disruptive. Many organizations are aware of the vulnerability but have not prioritized the migration.

Cloning process:

Position a reader within range of the target card (typically 2–10 cm, but long-range readers extend this to 30+ cm)
Capture the raw bitstream containing the facility code and card number
Write the captured data to a blank T5577 card or equivalent
The clone is functionally identical to the original — the access control system cannot distinguish between them

13.56 MHz Smart Cards

Higher-frequency smart cards introduced cryptographic protections, but implementation weaknesses have been found in many deployed technologies.

MIFARE Classic: Uses the proprietary Crypto-1 cipher, which was reverse-engineered in 2008. Multiple attacks exist (Darkside, Nested, Hardnested, Static Nonce) that can recover sector keys in seconds to minutes depending on the card variant and reader configuration.

HID iCLASS (Legacy): The original iCLASS system used a master key that was extracted and published. Cards using this legacy key can be cloned. HID responded with iCLASS SE (Secure Element) and later SEOS, which use diversified keys and stronger cryptography.

MIFARE DESFire: Uses AES-128 encryption with diversified keys per application. When properly implemented, DESFire is resistant to practical cloning attacks. However, some deployments use default or weak keys, and side-channel attacks have been demonstrated in laboratory settings against EV1.

Cloning Tools

Proxmark3 RDV4: The gold standard for access card research and red teaming. The Proxmark3 RDV4 is a software-defined RFID tool that supports both low-frequency (125 kHz) and high-frequency (13.56 MHz) protocols.

Key capabilities:

Read, emulate, and clone 125 kHz cards (HID Prox, EM4100, Indala, AWID, Viking)
Execute cryptographic attacks against MIFARE Classic (Darkside, Nested, Hardnested)
Read and emulate iCLASS legacy credentials
Brute-force sector keys on improperly configured smart cards
Stand-alone mode for covert field operations without a connected laptop
Long-range antenna options for increased read distance

Flipper Zero: A portable multi-tool with integrated 125 kHz and 13.56 MHz RFID capabilities. While less powerful than the Proxmark3 for advanced attacks, the Flipper Zero excels at quick reads and emulation of common card types. Its innocuous appearance and pocket-friendly form factor make it useful for covert operations.

Capabilities relevant to physical red teaming:

Read and emulate 125 kHz cards (HID Prox, EM4100, Indala)
Read MIFARE Classic UIDs and emulate (full clone requires external tools for key recovery)
iButton reader/emulator for older access systems
Sub-GHz radio for garage doors, gates, and wireless alarm systems
IR transmitter for HVAC controls, displays, and AV equipment in sensitive areas

Keysy: A simple, credit-card-sized device that reads and stores up to four 125 kHz credentials. No laptop required, no technical knowledge needed. Press a button to read, press a button to write to a blank card. Its simplicity is its strength — it can be operated in a pocket during a handshake or brief social interaction.

Long-Range Readers: Custom-built or commercially available readers that extend the capture range for 125 kHz cards to 30–90 cm (compared to the standard 2–10 cm). These are typically concealed in a bag or backpack and operated while walking past or standing near a target. Effective in elevators, queues, public transit, and any situation where close proximity is natural.

Badge Harvesting Strategies

The best badge reader is useless without a target card in range. Successful harvesting requires understanding employee behavior and identifying opportunities for proximity.

Elevator positioning — Stand behind a badged employee and position your reader near their hip or lanyard
Coffee shop surveillance — Employees at nearby cafes often leave badges clipped to belts or lying on tables
Smoking area approach — Strike up casual conversation while a concealed reader captures the badge on their lanyard
Lobby interaction — Pretend to fill out a visitor form while a reader in your bag captures badges of passing employees
Conference/event targeting — Corporate events and conferences where employees wear badges openly
Gym/fitness center — Many employees leave badges in lockers or gym bags at corporate fitness facilities

Lock Picking & Bypass

When electronic access controls are not viable targets, mechanical locks often provide an alternative entry path. Most commercial buildings rely on a combination of electronic and mechanical locks, and the mechanical systems are frequently the weaker link.

Lock Types and Vulnerability

Pin Tumbler Locks: The most common lock type in commercial and residential settings. A series of spring-loaded pin stacks must be lifted to the correct height by the key’s bitting. Vulnerabilities include single-pin picking (SPP), raking, bumping, impressioning, and decoding.

Security-rated pin tumbler locks (Medeco, Mul-T-Lock, Abloy Protec) incorporate additional mechanisms — rotating pins, telescoping pins, or sidebar systems — that dramatically increase pick resistance. However, many commercial buildings use standard Schlage or Kwikset hardware with minimal security features.

Wafer Locks: Common in filing cabinets, desks, low-security padlocks, and some vehicle locks. Generally easier to pick than pin tumbler locks due to simpler internal mechanisms. Many can be raked open in seconds.

Disc Detainer Locks: Found in high-security padlocks (Abloy, ABUS), vending machines, and some European door locks. Disc detainer locks use rotating discs rather than pins. Traditional picks do not work; specialized disc detainer picks (such as those from Sparrows or the Abloy-specific tools) are required. Picking difficulty varies significantly by brand and model.

Electronic Locks: Keypads, smart locks, and electromechanical locks add a layer of digital access control to a mechanical lock body. Vulnerabilities include default codes, shoulder-surfing PINs, brute-forcing short codes, and exploiting the mechanical bypass that most electronic locks include for battery-failure scenarios.

Picking Techniques

Single Pin Picking (SPP): The fundamental technique. Apply light rotational tension to the cylinder using a tension wrench, then manipulate each pin individually with a pick until all pins reach the shear line. Requires practice and tactile sensitivity. On standard commercial locks, an experienced picker can open most in 30–120 seconds.

Raking: Insert a rake pick (bogota, snake, city rake) and rapidly move it in and out while applying tension. The random movement bounces pins to the shear line by chance. Fast but unreliable on security pins (spools, serrated, mushroom). Effective as a first attempt before committing to SPP.

Bumping: A specially cut “bump key” is inserted and struck sharply while light tension is applied. The impact energy transfers through the key pins to the driver pins, momentarily separating them at the shear line. Highly effective against standard pin tumbler locks. Bump-resistant pins (spools, serrated) reduce but do not eliminate the threat.

Impressioning: A blank key is inserted, tension is applied, and the key is manipulated to create marks from the binding pins. These marks are filed down iteratively until a working key is produced. Time-consuming (15–45 minutes) but produces a working key rather than a one-time pick.

Bypass Techniques

Sometimes the lock itself is not the weakest point. Physical bypass techniques target the door, frame, or locking mechanism directly.

Latch Slipping (Loiding): Sliding a flexible tool (credit card, shim, specialized loid tool) between the door and frame to push back the spring-loaded latch. Effective against doors without a deadbolt or anti-loid latch guard. An alarming number of commercial interior doors are vulnerable.

Under-Door Tools: A rigid tool slid under the gap between the door and floor, with a hook that reaches up to depress the interior door handle. Effective against doors with lever handles and sufficient gap (typically 5mm+). Commercial under-door tools are available from locksmith suppliers.

Shims: Thin metal strips inserted into padlock shackles to depress the locking pawls without picking the cylinder. Most standard padlocks are vulnerable. Higher-security padlocks include anti-shim features.

Hinge Removal: Outward-opening doors with exposed hinges can have their hinge pins removed, allowing the door to be lifted off its frame. Security hinges with non-removable pins or set screws prevent this, but many installations use standard hinges.

Electric Strike Bypass: Some electric strikes fail in the “unlocked” position during power loss (fail-safe). If power to the strike can be interrupted — by locating and cutting the low-voltage wire, or by tripping a breaker — the door may open without any credential.

Request-to-Exit (REX) Sensor Exploitation: Many doors equipped with electronic access control include passive infrared (PIR) sensors on the interior side to allow free egress without a badge tap. These sensors can sometimes be triggered from outside by sliding a thin tool or inflatable bladder through the door gap to create motion in the sensor’s field of view.

Human behavior is consistently the weakest link in physical security. Tailgating — following an authorized person through a controlled door — is the most reliable physical entry technique, requiring no technical equipment whatsoever.

Tailgating Techniques

The Hands-Full Approach: Carry a stack of boxes, a tray of coffee cups, or a laptop bag in each hand. Approach a badge-controlled door just as an employee reaches it. Most people will instinctively hold the door for someone whose hands are full. Express gratitude and walk in confidently.

The Phone Call: Arrive at the door while appearing deeply engaged in a phone conversation (real or simulated). The social pressure to avoid interrupting someone on a call often prevents employees from challenging you. Combine with business attire for maximum effectiveness.

The Follow-Through: Simply walk closely behind someone through a controlled door as if you belong. In busy lobbies during peak hours, the sheer volume of people moving through doors makes individual challenges unlikely. Confidence and appropriate attire are the only requirements.

The Smoke Break Return: Join employees at the designated smoking area. When the group heads back inside, walk in with them. You have already established social rapport during the break; asking to see your badge would feel rude in context.

Pretexting for Physical Access

A solid pretext — a believable reason for being in the building — is essential for any social engineering-based entry. The best pretexts are difficult to verify in real time and create a sense of urgency or authority.

Delivery Person: Wear a generic polo shirt, carry a clipboard and packages. Food delivery (DoorDash, UberEats) requires no uniform at all — just an insulated bag and a phone showing a delivery app. Building staff are accustomed to letting delivery drivers in without challenge.

IT Technician: Carry a laptop bag, wear a polo shirt with a generic or vendor-specific logo, and reference a “ticket” for network or printer issues. IT visits are routine enough that most employees accept them without question. Arrive during business hours and approach the front desk with confidence: “Hi, I’m here from [vendor] to look at the network switch on the third floor. Your IT team should have a ticket — [reference number].”

Inspector / Auditor: Fire inspectors, health inspectors, insurance assessors, and regulatory auditors all have legitimate reasons to access facilities with minimal notice. This pretext carries implicit authority — refusing an “inspector” feels like a compliance risk. Carry a clipboard, wear business casual, and use industry-specific terminology.

HVAC / Maintenance Contractor: Coveralls or a work uniform, a tool bag, and a reference to a service call provide access to mechanical rooms, server closets, and utility areas. These spaces frequently contain network infrastructure and are less monitored than office areas.

Uniform and Props

The right appearance eliminates 90% of challenges before they occur. Key elements:

Lanyard and badge holder — Even a blank badge in a clear holder on a lanyard signals “I belong here” at a glance
Clipboard — Universally signals authority and purpose
High-visibility vest — Grants near-universal access to construction sites, loading docks, and utility areas
Branded polo shirt — A $15 custom embroidered polo with a vendor logo dramatically increases credibility
Tool bag or laptop bag — Appropriate to the pretext and provides storage for equipment

Mantrap Bypass

Mantraps (security vestibules that require authentication on both sides) are designed specifically to prevent tailgating. However, bypass options exist:

Piggybacking with an employee — Some mantraps are sized for two people and only require one badge tap. Social engineer an employee into sharing the vestibule
Requesting assistance — “My badge isn’t working, can you let me through?” is surprisingly effective
Delivery pretext — Large deliveries may bypass the mantrap entirely via an alternate route
Emergency exit exploitation — Mantraps often have emergency release mechanisms that can be triggered

Covert Entry Techniques

When social engineering is not viable — perhaps the target has strong security culture or limited staffing — covert entry bypasses human observation entirely. These techniques typically occur after hours when the building is unoccupied or minimally staffed.

After-Hours Entry Considerations

Alarm Systems:

Determine whether the building has a centralized alarm and what type (monitored vs. local only)
Identify alarm panel location (usually near the main entrance) and type (DSC, Honeywell, Bosch)
Window and door sensors are typically magnetic reed contacts — they can be defeated by placing a magnet adjacent to the sensor before opening the door/window
Glass break sensors trigger on specific frequencies; cutting glass rather than breaking it may bypass them

Motion Detectors:

Passive Infrared (PIR): Detects changes in infrared radiation (body heat). Can be defeated by moving extremely slowly (below the detection threshold), using a thermal blanket/shield, or exploiting dead zones in coverage
Microwave sensors: Detects motion via Doppler shift. Harder to defeat than PIR but have defined coverage patterns with potential blind spots
Dual-technology sensors: Require both PIR and microwave triggers to alarm. More resistant to false alarms and bypass techniques, but coverage gaps may still exist
Ultrasonic sensors: Rarely used in commercial settings due to high false-alarm rates

Entry Points:

Window Access:

Ground-floor windows are often latched rather than locked — a thin tool can release the latch from outside
Second-floor windows are frequently left unlocked under the assumption that height provides security
Emergency window releases on higher floors may be accessible from fire escapes

Roof Access:

Roof access doors and hatches are frequently unsecured or secured with wafer locks
Ladder access points on the exterior of buildings often lack anti-climb measures
HVAC penetrations through the roof can provide alternative entry points
Adjacent buildings with lower rooflines may provide access to higher roofs

Loading Dock Exploitation:

Loading docks often operate on timers and may remain unlocked during expected delivery windows
Roll-up doors can sometimes be lifted manually when the motor is disengaged
Pedestrian doors in loading dock areas frequently have inferior access controls compared to main entrances
Dock areas often connect directly to building interiors without additional access controls

Rogue Device Deployment

The convergence point of physical and cyber red teaming: placing network-connected devices inside the target environment that provide persistent remote access, wireless attack platforms, or credential harvesting capabilities.

Rogue Device Comparison

Device	Purpose	Size	Battery Life	Detection Risk	Approximate Cost
LAN Turtle	Network implant (SSH, DNS spoof, responder)	USB adapter size	Powered via USB/PoE	Low — resembles Ethernet adapter	$60
WiFi Pineapple	Wireless attack platform (evil twin, deauth, capture)	Small router size	1–3 hours (battery), unlimited (AC)	Medium — visible if not concealed	$120–$300
Raspberry Pi Drop Box	Full Linux implant (C2, pivoting, scanning)	Credit card + case	4–8 hours (battery pack)	Medium — requires hiding spot	$50–$100
Cellular Implant (Pi + 4G)	Out-of-band C2 via cellular network	Slightly larger than Pi	3–6 hours (battery), unlimited (AC)	Low — no network traffic anomaly	$100–$200
USB Rubber Ducky	Keystroke injection	USB flash drive	N/A — powered by target	Low — looks like flash drive	$80
Bash Bunny	Multi-payload USB attack (exfil, reverse shell, creds)	Slightly large USB	N/A — powered by target	Low — looks like flash drive	$120
O.MG Cable	Keystroke injection via charging cable	USB cable	Weeks (standby)	Very Low — looks like normal cable	$120–$180
Power Strip Implant	Network tap or WiFi AP hidden in power strip	Power strip	Unlimited — mains powered	Very Low — appears to be power strip	$200+ (custom)

Deployment Strategies

The best implant is useless if it is discovered in the first hour. Placement is critical.

Network Implants (LAN Turtle, Drop Box):

Behind monitors or under desks in common areas — conference rooms are ideal because they are unoccupied most of the time
Network closets and server rooms — plug into an open switch port where another device is unlikely to attract attention
Printer areas — the tangle of cables behind shared printers conceals additional devices
Behind mounted TVs in lobbies or break rooms — powered and connected, rarely inspected
Connect to a DHCP-enabled port and ensure the device phones home to your C2 infrastructure via an encrypted channel

USB Attack Devices (Rubber Ducky, Bash Bunny, O.MG Cable):

Leave USB drives labeled “Confidential — Q4 Financials” or “Employee Bonuses” in parking lots, break rooms, and restrooms
Deploy O.MG cables at charging stations or on desks where employees might use a convenient cable
Target shared workstations (reception, print stations, conference rooms) where the device can execute its payload with access to a logged-in session

Wireless Implants (WiFi Pineapple):

Place in a ceiling tile with an AC adapter for continuous power
Deploy in an IT closet where wireless equipment is expected
Disguise as a consumer access point with a plausible SSID (e.g., the corporate guest network name)

Device Configuration Best Practices

Configure all implants with encrypted reverse callbacks, not listeners — egress filtering is typically more permissive than ingress
Use DNS or HTTPS for C2 communication to blend with legitimate traffic
Set a self-destruct timer or remote wipe capability to prevent evidence persistence
Test all payloads in the lab before field deployment — a failed payload in the field wastes the physical access you worked hard to obtain
Ensure devices automatically reconnect if power or network connectivity is interrupted

For more on how initial access techniques overlap with physical implant strategies, see Initial Access & Social Engineering.

Dumpster Diving

One of the oldest and most underestimated information-gathering techniques, dumpster diving involves searching an organization’s discarded materials for sensitive information, credentials, hardware, and intelligence that supports further operations.

What to Look For

Documents:

Printed emails, memos, and meeting notes
Network diagrams, IP address lists, and system documentation
Employee directories and organizational charts
Financial records, contracts, and legal documents
Handwritten notes with passwords, PINs, or access codes
Shredded documents (cross-cut shredding is far more effective than strip-cut; strip-cut documents can be reconstructed)

Hardware and Media:

Hard drives, USB drives, and optical media that were discarded rather than properly destroyed
Old phones, tablets, and laptops — even “wiped” devices may contain recoverable data
Printed circuit boards or prototype hardware from R&D organizations
Old access badges that may still be active or may reveal badge format details

Operational Intelligence:

Shipping labels and vendor invoices reveal supply chain relationships
Building maintenance records provide insight into facility systems
Calendar printouts expose meeting schedules and visitor patterns
Discarded post-it notes from workstations frequently contain credentials

Operational Approach

Timing: Conduct dumpster diving during early morning hours or late at night to minimize observation
Location: Target dumpsters and recycling bins behind the facility, especially in secured waste enclosures with minimal surveillance
Equipment: Bring gloves, a flashlight, garbage bags for sorting, and a change of clothes
Legality: In many jurisdictions, once materials are placed in a public-access dumpster, they are considered abandoned property. However, dumpsters on private property or within secured areas may be subject to trespassing laws — always verify with legal counsel and ensure explicit authorization in the rules of engagement
Documentation: Photograph documents in place before removing them, and maintain a chain of custody for all recovered materials

Physical Red Team Methodology

Planning & Scoping

Every physical engagement begins with careful planning that addresses legal, safety, and operational concerns. Unlike digital penetration testing, physical red teaming involves real-world consequences — arrest, injury, and confrontation are all possible if planning is inadequate.

Scope Definition:

Which facilities are in scope? Specific buildings, floors, or areas?
What actions are authorized? Entry only? Device deployment? Document photography? Removal of items?
What are the explicit boundaries? Areas or actions that are off-limits?
What time windows are authorized? Business hours only, or after-hours as well?
Are employees to be socially engineered, or is the test limited to technical bypasses?

Legal Framework:

Trespassing laws vary significantly by jurisdiction. What constitutes criminal trespass in one state or country may be a civil matter in another. Understand the local legal landscape before planning any operation.
In some jurisdictions, possession of lock picks or electronic bypass tools is restricted or requires licensing.
Social engineering employees may raise harassment or fraud concerns depending on the techniques employed.
Photography restrictions may apply in government facilities, financial institutions, or locations near classified areas.

Authorization Documentation

The “Get Out of Jail Free” Letter: This document — carried by every team member during the operation — serves as proof that the red team is authorized to be on premises and performing the actions in question. It must include:

Authorizing executive’s name and title — Must have authority over physical security decisions
Explicit description of authorized activities — Entry, badge cloning, lock picking, device deployment, etc.
Date range of the engagement
Facility addresses in scope
Team member names (or team lead with authority to designate)
24/7 emergency contact — An executive or security director who can confirm authorization on the spot
Signatures — Both the authorizing executive and the red team lead

Critical: This letter must be physically carried during all operations. Digital copies are insufficient — if law enforcement confiscates your phone, you need paper documentation. Multiple copies should be distributed among team members.

Safety Considerations

Physical red teaming introduces safety risks that digital operations do not:

Armed security — Some facilities employ armed guards. Any escalation must be avoided; the team must de-escalate immediately if confronted by armed security
K-9 units — Security dogs are unpredictable. If K-9 units are present and the team is discovered, freeze and comply with handler instructions
Law enforcement response — If police are called, comply immediately, present authorization documentation, and request that they contact the emergency number on the letter
Physical hazards — Roof access, climbing, and confined spaces introduce fall, electrical, and environmental risks
Team medical readiness — At least one team member should have basic first aid training; carry a first aid kit

Emergency Procedures

Before every operation, the team must establish:

Abort signal — A specific word, phrase, or radio code that means “stop all operations immediately and exit”
Rally point — A predetermined meeting location if the team becomes separated
Communication plan — Primary (cell phones), secondary (radio), and tertiary (pre-established time-based check-in) communication methods
Cover stories — Each team member should have a rehearsed, consistent story for why they are present if challenged
Escalation matrix — Who to call first (team lead), second (client emergency contact), third (legal counsel) if a team member is detained

Team Communication During Operations

Use encrypted communications (Signal, encrypted radio channels) for all operational chatter
Establish check-in intervals (every 15–30 minutes depending on risk level)
Use code words for key events: “package delivered” (device deployed), “window shopping” (conducting surveillance), “heading home” (exiting facility)
Maintain a real-time log of all team member locations and status
Designate one team member as the external coordinator who remains outside the facility and maintains situational awareness

Documentation & Evidence

Thorough documentation transforms a physical red team engagement from “we got in” to a compelling, actionable report that drives security improvements. Every action must be recorded as it happens — memory is unreliable and details fade fast.

Photography & Video Requirements

Mandatory Documentation Points:

Every entry point used, including close-ups of the access control mechanism
Every vulnerability exploited (propped doors, unlocked windows, unsecured areas)
Network ports where devices were deployed, including surrounding context
Badge readers and the specific cloned badge used at each
Any sensitive documents, screens, or information visible in common areas
Timestamp evidence (include a phone screen with time visible in key photos)

Technical Considerations:

Disable flash — a camera flash in a dark building at 2 AM draws attention
Use silent or vibrate modes on all devices
Video is more compelling than photos for demonstrating how easy an entry was
Body cameras provide continuous documentation without requiring the operator to pause and photograph
Ensure all devices are charged before the operation; a dead camera is worthless

Timestamped Logging

Maintain a real-time log with entries for every significant action:

[2026-03-15 22:15] Team assembled at rally point, equipment check complete
[2026-03-15 22:30] Arrived at target facility, began perimeter observation
[2026-03-15 22:45] Identified propped door at northeast loading dock
[2026-03-15 22:52] Entered facility via loading dock door - no badge required
[2026-03-15 22:58] Located network closet on first floor, door unlocked
[2026-03-15 23:05] Deployed LAN Turtle on switch port 24, confirmed C2 callback
[2026-03-15 23:12] Photographed server room access - door propped with wedge
[2026-03-15 23:20] Exited facility via same loading dock door
[2026-03-15 23:25] Confirmed remote access to LAN Turtle from team vehicle

Evidence Chain

For findings to be credible and actionable:

Document who captured each piece of evidence and when
Use unedited original files — metadata (EXIF data) provides tamper evidence
Store evidence on encrypted media with restricted access
Maintain a log of evidence handling — who had custody at what time
Back up all evidence before leaving the vicinity of the target

Reporting Physical Findings

A physical red team report must go beyond “we got in” to demonstrate business impact. Structure findings to answer the question every executive asks: “So what?”

Finding Format:

Vulnerability — What was the weakness? (e.g., “Loading dock door propped open after hours”)
Exploitation — How was it exploited? (e.g., “Team entered through propped door without any credential or interaction”)
Evidence — Photo/video with timestamp
Impact — What could an attacker do? (e.g., “Attacker gained access to first-floor network closet and could deploy a persistent backdoor with full network access”)
Risk Rating — Based on likelihood and impact
Recommendation — Specific, actionable remediation (e.g., “Install door-prop alarm on loading dock exit, integrate with security monitoring”)

Demonstrating Business Impact:

Physical access findings are most compelling when linked to cyber outcomes:

“We cloned a badge, entered the building, and deployed a network implant that gave us domain admin within 4 hours” — this connects physical weakness to total compromise
“We recovered printed credentials from the recycling bin that provided VPN access to the production environment” — this connects poor document handling to data breach risk
“We tailgated into the data center and had unescorted access to all server racks for 45 minutes” — this demonstrates physical access to the organization’s crown jewels

For examples of how physical red team findings are documented in real engagement reports, see Real Engagements & Case Studies.

Practical Tips from the Field

These tips are drawn from patterns observed across numerous physical red team engagements.

Preparation:

Always visit the target at least once as a normal visitor before the operation — sign in as a guest, attend a public event, or visit a co-located business. First-hand observation is irreplaceable.
Prepare multiple entry strategies ranked by risk. If Plan A fails, transition immediately to Plan B without hesitation in the field.
Pack a “bail-out bag” with your authorization letter, ID, phone with emergency contacts, and a change of clothes. Leave it in the vehicle.
Test all equipment the night before. Badge cloners, radios, implants, cameras — if it can fail, verify it works.

During the Operation:

Confidence is everything. Walk with purpose, make eye contact, greet people. Hesitation and evasive behavior trigger suspicion far more than being in the wrong area.
If challenged, respond immediately with your prepared pretext. The first three seconds determine whether you are believed or reported.
Do not linger in any area longer than necessary. Get in, accomplish the objective, document it, and move to the next target or exit.
Keep your hands visible at all times. Reaching into pockets or bags while walking through a facility triggers security instincts in observers.
If a technique is not working, abandon it. Do not force entry — an alarm triggered by a failed pick is far worse than trying a different door.

Behavioral Patterns to Exploit:

Employees arriving before 7:00 AM are usually groggy and less likely to challenge someone at the door.
The 30 minutes after shift change are chaotic — security staff are catching up on handoff notes and less attentive to cameras.
Rain and cold weather reduce the likelihood that smokers will linger at exterior doors, but increase the probability that doors are propped open to avoid re-badging.
Friday afternoons have the lowest security vigilance of the business week.
Cleaning crews are often overlooked as social engineering targets, but they frequently have master access to all areas of a building.

Avoiding Detection:

Dress one level above what you observe employees wearing. Slightly overdressed reads as “visitor” or “management,” both of which discourage challenges.
Carry a clipboard or tablet. People with clipboards are assumed to be performing an inspection or audit.
Never run. Walking quickly is fine; running triggers alarm responses in security personnel and employees alike.
If you deploy a device, check it once remotely and then do not return to it unless absolutely necessary. Each visit to the device doubles the risk of discovery.

Key Takeaways

Physical red teaming reveals the gap between an organization’s assumed security posture and its actual resilience to a motivated attacker with physical access. The most sophisticated digital defenses are rendered meaningless by a propped-open door, a cloned badge, or a convincing pretext.

Core principles to carry forward:

Physical and cyber security are inseparable. Every red team assessment should consider the physical attack surface alongside the digital one.
Reconnaissance drives success. The more time invested in surveillance and OSINT, the fewer surprises arise during execution.
Human behavior is the primary vulnerability. Tailgating, pretexting, and social engineering succeed because humans are conditioned to be helpful, not suspicious.
Authorization and safety are non-negotiable. Every physical operation must have explicit written authorization and established safety procedures. The consequences of operating without them are career-ending.
Documentation is the deliverable. The physical breach is the means; the report that drives remediation is the end.
Practice relentlessly. Lock picking, badge cloning, social engineering, and covert movement are all perishable skills that degrade without regular practice.

Physical red teaming is among the most demanding and rewarding disciplines in offensive security. It requires technical expertise, social intelligence, physical fitness, legal awareness, and operational planning skills that few other specialties demand in combination. Master it, and you will see security through a lens that most practitioners never experience.