Testing Powered by a Proven Methodology

Engagements are scoped to your site-specific physical security controls.

Testing Goals, Objectives and Rules of Engagement Are Agreed

Your dedicated Physical Penetration Testing Team Leader will begin by meeting with your business stakeholders and agreeing on the specific goals, objectives and estimated timelines for the test. A typical test usually takes place over 2-3 weeks.

Agreed Rules of Engagement are documented, stating any prohibited attacks or tools to be used in the test and any specific location(s), personnel, business processes or access controls which should be considered out of scope. Additionally, security key performance indicators or metrics required are defined.

Open-Source Intelligence is Collected & Assessed

All available open-source intelligence (OSINT) information associated with the business operating locations in the scope of testing is collected.

Publicly available information from aerial photography, land and building surveys to building floor plans and heating, ventilation & air conditioning system schematics shall be obtained and analysed for potential points of entry.

The Testing Team may travel to locations in scope to observe and record perimeter barriers, parking conditions and points of building entry and exits. OSINT is also gathered on key stakeholders and staff to be assessed for use in conducting social engineering attacks.


Customised Attack Scenarios Are Created

Testers design customised attack scenarios simulating real-world threat actor techniques, tactics, and procedures (TTPs) to exploit potential weaknesses and attack vectors identified by the OSINT collected.

Attack scenarios shall be designed to bypass existing physical security access controls in place and gain unauthorised and undetected access to the locations and systems in scope. Attacks shall target people, processes, and technology in scope and include social engineering techniques.

Attacks Are Conducted and Evidence Documented

Testers execute the TTPs chosen to penetrate the facility, connect to systems, remove targeted information assets and exit undetected. Testing is conducted during both working and after-work hours. Typical attack scenarios include:

  • Bypassing Perimeter Physical Barriers
  • Bypassing Guards & Surveillance Systems
  • Bypassing Physical Access Controls
  • Bypassing Reception Access & Visitor Controls
  • Bypassing & Social Engineering Staff

Audio and video evidence of attacks is collected by testers to provide evidence of penetrations.

Findings Are Presented to Key Stakeholders

We believe knowledge transfer is essential. The testing report is presented in a workshop to ensure the understanding of the findings and the risks associated with hosting the business information assets on the platform.

Testing Covers Your Existing Building Access Controls

Security engineers simulate threat actor risk scenarios — using real-world techniques such as but not limited to:

Personnel & Employees

Attempt to evade employees and security personnel through social engineering attacks, tailgating and fake identification cards

Physical Barriers

Attempt to gain access through restricted access points and secured perimeter

Alarm Systems & Sensors

Attempt to bypass alarmed security systems without triggering alarms

Electronic Access Controls

Attempt to bypass or deceive turnstiles, badge readers and biometric systems

Video Surveillance Systems

Access or trigger security cameras (CCTV) to assess security personnel’s’ responses

Clients Come to Risk Crew for Expertise & Stay for Exceptional Service

This popular on-demand service is designed to ensure that your business gets the exact number of resources it needs to meet data protection laws. Our consultants fully embrace your organisational culture and adopt a proactive stance towards meeting your needs, rather than merely reacting to them.

We Don’t Sell Products, We Sell Results.

✓ Competitive and Transparent Pricing

Our service comes with fixed pricing with no unexpected added costs. Additionally, we offer a managed service to conduct penetration testing on a continual basis.

✓ Experienced Experts

Risk Crew has over 30 years of experience. Our information security experts hold CBSP, C√SS, CREST, C|EH and GIAC credentials.

✓ In-depth Reporting

Our comprehensive report details specific vulnerabilities identified on the platform, how they were identified, methods and tools used to identify them and visual evidence, if applicable.

✓ 100% Satisfaction Guarantee

We think deeply, question assumptions, detect cause and effect and deliver measurable results. No one else does that. Our deliverables produce metrics you can use to monitor and manage real-world cyber risks.

Secure Your
Facilities Today

Ensure customer data, intellectual property, and security systems are sufficiently protected from physical intrusion. Speak to one of the Crew today to find out how we can help.

You can also call us at +44 (0) 02 3653 1234 and one of our experts will guide you down your path to secure your information assets.


Speak to an Expert

Frequently Asked Questions

Why is physical penetration testing important?

It helps uncover security weaknesses you hadn’t spotted, from ineffective door locks to guards who are distracted. It helps validate your company’s physical security and spot the weak spots before the bad guys do. It can also help with compliance (i.e., ISO 27001 and PCI DSS both require physical security controls to be evaluated). The outcome is often rooted in awareness training of employees to ensure there is no weak link in your security chain. Ultimately it helps prevent data theft or damage to your assets.

How much does a physical penetration test cost?

It depends on the scope and locations to be assessed, but for a single site, an average cost is around £3,000-£5,000.

How do you remediate after a physical penetration testing?

1. Analyse the Report: Your physical penetration test report will highlight the vulnerabilities detected, potential impacts, and suggest remediation measures.
2. Prioritise Remediation Efforts: Some findings may pose a higher risk than others. The attendant risk (based on severity, potential impact, and exploitability) will determine which vulnerability to address first.
3. Develop a Remediation Plan: This plan should include the steps required to address each vulnerability, the resources required, timelines, and the individuals or teams responsible.
4. Implement Fixes: This could involve a range of actions, from increasing security personnel presence, enhancing CCTV coverage, installing better access control systems, improving lighting, or using Risk Crew’s training and awareness program to help employees improve their understanding of security procedures.
5. Policy and Procedure Adjustments: The penetration test may well reveal gaps in your current security policies or procedures. It is crucial to update your policies and standards to reflect what was discovered in the test.
6. Re-test: After remediation measures have been implemented, it would be a good idea to conduct another penetration test to ensure the fixes are effective, and that no new vulnerabilities have been introduced.
7. Continuous Monitoring and Improvement: Physical security, like all aspects of security, requires continuous monitoring and improvement to be effective. Regular testing and assessment can help keep your physical security posture robust and up to date.

Should staff be informed that a test is going to be conducted?

No, as part of the process is to evaluate staff staff awareness. Usually, only senior management is aware the test is underway. Depending on the nature of your organisation, we sometimes inform local authorities to prevent a genuine alert.