What is a covert entry assessment?

Key takeaways

• Covert entry tests detection and response, not just controls. The data is about how the organization behaves under contact, not just what the policies say.
• Knowledge is limited to a small trusted-agent group: usually three or four people including the executive sponsor.
• The engagement requires written authorization (engagement letter plus get-out-of-jail letter) and operational discipline; without these, it is trespass.
• Covert is the right choice when the question is "how does the security program actually perform" rather than "is the policy followed". It is the wrong choice when the program is too immature to learn from the data.
• ARG runs covert entry inside an integrated engagement, with the digital and human surfaces tested in coordination.

How is a covert entry assessment scoped and rules-of-engagement set?

A serious covert engagement is documented before it starts. The scope document covers:

1. Authorization. Signed by an executive with the legal authority to grant access to the facility. The signing executive is a member of the trusted-agent group.

2. Trusted agents. The small group inside the organization who knows the engagement is happening. Typical composition: executive sponsor, head of IT or security, facility lead, external legal counsel where appropriate. Each is named, with role and contact information. The list is small for a reason; larger lists leak.

3. Objectives. The specific outcomes the engagement is testing. "Reach a network closet", "photograph the HMI in control room A", "drop a network device on the engineering subnet", "exfiltrate a sample of CAD files", "walk an executive's laptop out of the building". Each objective tests a specific control combination.

4. Permitted techniques. Tailgating, pretexting, badge work, lock work (where authorized), social engineering, off-hours entry. The list is explicit; anything not listed is implicitly out of scope.

5. Prohibited techniques. Anything causing damage, anything touching production OT or safety systems, denial of service, destructive payloads, any technique against personal devices outside agreed targets. The prohibitions protect the engagement and the testers.

6. Operational hours. When testing is authorized. Business hours, off-hours, both. Day-of-week constraints if any.

7. In-scope and out-of-scope assets and areas. Specific buildings, specific zones, specific systems. The boundary is named.

8. Escalation and abort. A 24-hour contact path. The conditions under which the engagement is paused or stopped. The communication protocol for unexpected events.

9. Get-out-of-jail letter. Signed by the executive sponsor, identifying the bearer, the engagement window, and the sponsor's direct contact. The tester carries the letter on site.

10. Legal coordination. Where applicable, external counsel is informed and may coordinate with local law enforcement in writing through the sponsor.

Without this scaffolding, the engagement is operationally fragile and legally exposed. With it, the engagement runs cleanly.

Covert entry vs overt entry vs announced physical audit

Three approaches with different data:

Covert entry assessment. Front-line staff do not know. Tests detection and response under realistic conditions. Findings include both control gaps and workforce response data. Higher operational risk, higher data value.

Overt entry assessment. Front-line staff know an authorized test is happening. Testers are escorted; controls are walked through; gaps are discussed in real time. Findings cover the control design and the workforce's understanding of policy, but not the actual response under contact.

Announced physical audit. Front-line staff and security know an auditor is on site. The auditor observes, asks, reads, and documents. Findings cover policy, technology, and the gap to practice; they do not measure detection or response. See What is a physical security audit?.

A mature program runs an announced audit first (to baseline policy and practice), then a covert engagement (to measure response), then continuous reassessment. The covert engagement without the audit produces dramatic stories with thin baselines. The audit without the covert engagement produces clean reports with no contact data.

Why covert entry produces findings other approaches miss

Three categories of finding only show up when front-line staff do not know testing is happening:

1. Detection latency. How long does an unauthorized presence stay unnoticed. Cameras present do not mean cameras watched. Alarms configured do not mean alarms responded to. Covert testing measures the gap between event and detection in real time.
2. Escalation accuracy. When something is noticed, what happens next. Is the right person called. Does the right person respond. Does the response take the right action. Each link in the chain is exercised only when the test is real.
3. Workforce behavior under pressure. A pretext that succeeds tells the organization what kind of social engineering its workforce is vulnerable to. A pretext that is challenged tells the organization what challenge culture is functional. Neither datum is available from an audit.

For mid-market manufacturers building a security program, the first covert engagement often produces the largest cluster of useful findings the organization has ever received. The findings reshape investment priorities away from technology procurement and toward workflow, staffing, and culture.

Examples of covert entry outcomes on industrial sites

Patterns from ARG covert engagements at manufacturers:

• Twenty-minute path from unattended parking lot to control room. A pretexted electrical contractor with a clipboard, a high-visibility vest, and a fabricated work order. Reception is preoccupied; visitor management is informal during lunch; controlled doors are propped open for HVAC techs. Outcome: a photograph of an unattended HMI screen. See What is SCADA security?.
• Engineering file recovery during morning shift transition. A pretexted "new hire on first day" enters with the day-shift crowd, walks to the engineering area, sits at an unoccupied desk, and reads CAD files visible on the screen. Detected by a returning engineer twenty-three minutes later. Response: polite query, escort to HR; HR not yet briefed on the new-hire pretext.
• Network port drop in a conference room. A pretexted "vendor sales rep" reserves a meeting room for an afternoon, plugs a small device into the network port under the table, and works on a laptop. The device establishes outbound C2. The drop survives the engagement; the cleanup is a finding.
• Badge cloning during smoking-area observation. Lunch-area observation produces successful credential clones (see What is badge cloning?). The cloned credentials are tested against entry readers later in the engagement.
• After-hours entry through a side door. Off-hours testing at a side door identified during daytime reconnaissance. Door secured by lock plus alarm. Lock bypassed; alarm chimes locally only; no remote escalation; tester reaches engineering area unchallenged. Total time from arrival to objective: nine minutes.
• Surfaced pretext at gate during shift change. A pretexted vendor technician approaches the gate during shift change with credentials that do not match the recorded vendor list. The gate guard, recently trained on verification protocol, challenges and calls the trusted-agent contact. Outcome: positive finding; the new training is producing measurable behavior change.

A successful engagement produces a mix of failures (controls bypassed) and successes (controls held). The mix is the value of the engagement.

How to choose between covert and overt physical testing

Three signals point to covert as the right choice:

1. The security program has a baseline. An audit has been run, policy is documented, basic controls are in place. The next question is "do the controls work under pressure", which only covert testing answers.
2. Detection and response are an explicit program area. The organization invests in cameras, monitoring, alarms, and security staff and wants to measure whether the investment produces results.
3. Insurance or compliance demands evidence of effectiveness. Cyber insurance underwriting increasingly rewards evidence of tested controls. Covert testing produces that evidence directly.

Three signals point to overt or announced as the right choice:

1. The security program is early-stage. No audit has been run, policy is in development, basic controls are immature. Covert testing produces findings the organization cannot absorb; start with announced audit, then progress.
2. Specific regulatory or contractual restrictions apply. Some defense and critical-infrastructure clients require notification of physical testing in advance. Honor the requirement.
3. The objective is workforce education, not measurement. Walk-throughs with active discussion produce education outcomes; covert testing does not.

ARG's default for first-year engagements at mid-market manufacturers is a paired model: announced audit during week one, covert testing during week two, with findings consolidated.

Best practices for safe execution of covert entry assessments

1. Authorization is non-negotiable. Signed engagement letter, signed get-out-of-jail letter, named trusted agents. Without the documents, the engagement is trespass; the documents protect the engagement and the testers.
2. Two-person teams for high-risk objectives. A partner monitors the engagement remotely, holds the contact line, and triggers escalation if needed. Solo testing acceptable for low-risk reconnaissance and low-objective entries.
3. Coordinate with law enforcement context where appropriate. For sensitive industries or larger facilities, brief local law enforcement in writing through the sponsor. The brief sits on file; the front-line patrol does not get a heads-up.
4. Operational discipline matching the pretext. The pretext is a persona, not a costume. Posture, language, paperwork, vehicle, apparel, and behavior all match. Operator inconsistency is what gets covert engagements surfaced, sometimes positively but usually because the operator broke pretext.
5. Documented chain of custody on evidence. Photographs with EXIF data, timestamps, contemporaneous notes. The evidence has to survive hostile review by a future underwriter, board member, or regulator.
6. Respect front-line staff dignity. When pretexts are surfaced or testers are detained, the trusted-agent contact resolves the situation immediately. Front-line staff who challenged correctly are thanked publicly during the debrief.
7. Pre-planned debrief. The engagement ends with a structured debrief, including the staff who interacted with the tester (without revealing identities where appropriate). The debrief is a learning event for the workforce, not a public-relations exercise.
8. No production OT interaction. Live OT and safety systems are out of scope without paired safety controls, regardless of accessibility. The path to the boundary is testable; the boundary itself is not.

Covert entry assessment FAQs

Who at the client knows about a covert entry assessment?

A small trusted-agent group, typically three or four people: the executive sponsor authorizing the engagement, the head of IT or security, the facility lead, and (where appropriate) external legal counsel. Front-line staff (reception, security, plant employees) do not know. Local law enforcement may be informed in writing through the sponsor for sensitive facilities.

What happens if the tester gets caught?

The tester presents the get-out-of-jail letter, which names the engagement, the bearer, and the authorizing executive with a 24-hour contact number. If facility security or law enforcement requires verification, the trusted-agent contact resolves the situation in minutes. A clean detection-and-response is a successful outcome, not a failure.

Are covert entry assessments worth the risk?

When scoped and run with operational discipline, yes. Covert engagements produce data that no other testing method generates: how the workforce actually responds to an unauthorized presence, how detection actually escalates, how the response actually plays out in real time. The risk is managed through rules of engagement, trusted-agent communication, and the get-out-of-jail letter.

How is success measured in a covert entry assessment?

Success is measured by what the engagement reveals, not by whether the tester was caught. A successful engagement produces evidence of which controls held, which did not, what the response time was, and where the chain of detection broke down. Being detected by attentive staff is a positive finding; being detected after the tester has already reached the objective is a different finding.

How ARG executes covert entry as part of the adversarial loop

Covert entry is a recurring component of ARG's on-site engagement weeks. It runs alongside tailgating, pretexting, badge cloning, and on-site vishing inside a single integrated engagement.

On-site execution is conducted by David Ashby, drawing on a manufacturing background at Quality Electrical Systems. The operator's familiarity with industrial environments lets pretexts ride the actual operational rhythm: real vendor visit patterns, real shift dynamics, real maintenance and contractor flow.

Each covert engagement is scoped against objectives that map to business outcomes: reach a network closet (digital pivot evidence), photograph an HMI (OT exposure evidence), recover a CAD sample (IP exfiltration evidence), drop a network device (persistent foothold evidence). The objectives mirror what actual attackers would pursue at the facility.

Findings consolidate into the engagement report alongside the physical audit, the digital simulation, and the continuous social engineering layer. Each finding is logged with location, time, pretext, outcome, detection event, and escalation behavior. The remediation backlog merges across surfaces: a single physical finding may interact with an identity finding from the digital layer or a vishing finding from the same week.

Re-engagement on a one- or two-year cadence re-tests previously bypassed paths. Findings either stay closed or surface as drift; the engagement evolves the test as the facility evolves the defense.

Apply as a founding client or see how the engagement works for the full delivery cycle.