BIPI
BIPI

Physical Security Assessments: Red Team Methodology for Physical Access

Cybersecurity

How professional red teams approach physical security assessments — pretexting, lock picking, RFID cloning, tailgating, and combining physical access with digital exploitation.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 9, 2025 · 12 min read

#physical-security#red-team#lock-picking#rfid#social-engineering

Physical security is the last defence that cyber controls cannot patch. A motivated adversary who walks through the front door bypasses every firewall, every EDR, and every zero-trust policy in the building. Physical red team assessments test whether that door can stay closed.

Rules of engagement and legal grounding

Physical red team operations require explicit written authorisation specifying which buildings, floors, and times are in scope. Carry a get-out-of-jail letter signed by an executive and the security team. No engagement is worth an arrest.

Pre-engagement reconnaissance

  • Google Street View and satellite imagery for entry points, camera positions, guard posts
  • LinkedIn for security vendor names (often listed on guard uniforms in photos)
  • Building permit records for floor plans in some jurisdictions
  • OSINT on target employees to build convincing pretexts
  • Passive surveillance visit during business hours to observe badge colour, lanyard styles

Entry techniques

Tailgating behind legitimate employees exploits social courtesy — people hold doors. A confident stride and a plausible pretext (IT contractor, maintenance, delivery) are more reliable than any technical tool. RFID badge cloning with a Proxmark3 is the next layer if physical access is needed after hours.

  1. Tailgating: time entry with crowd flow, carry equipment box or laptop bag
  2. RFID cloning: Proxmark3 in pocket near target's badge (HID Prox is trivially clonable)
  3. Lock picking: Sparrows or Multipick pick guns for pin tumbler locks
  4. Under-door tool: for lever handle doors without guard presence
  5. REX sensor attack: motion-activated exit sensor exploitable from outside with wire

Objectives once inside

  • Plant a network implant (LAN Turtle, Bash Bunny) on an unused switch port
  • Access an unlocked workstation and run a payload
  • Photograph whiteboards, policy documents, and screen contents
  • Reach server room or network closet for highest impact

Combining physical and digital

The most devastating engagements combine physical access with digital exploitation. A rubber ducky in a USB port executes a reverse shell while the red teamer walks out. A rogue AP planted in a conference room captures credentials for weeks.

~90%
Physical red team engagements where entry was achieved
<60 seconds
Time to plant network implant on unlocked switch
majority
Facilities still using 125 kHz HID Prox cards
Social engineering a door open takes 30 seconds. Patching that vulnerability takes a culture change.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.