What is lock bypass?

Key takeaways

• Most successful unauthorized entries in mid-market manufacturer facilities exploit the door, not the lock.
• Common bypass techniques work against standard commercial doors in seconds to minutes with hardware that costs under fifty dollars.
• High-security cylinders resist picking but do not, on their own, resist door bypass. The door's installation matters as much as the lock.
• Compensating controls (cameras with real review, alarms with real response, badge logs with real audit) are what shorten time to detection when bypass occurs.
• Lock bypass is usually the lowest-impact finding in a physical engagement; the higher-impact finding is what the bypass reaches.

What is the difference between lock picking, lock bypass, and forced entry?

Three categories of physical attack on a locked door:

Lock picking manipulates the lock cylinder directly. The picker uses tools (tension wrench, pick) to operate the pins or wafers as if the correct key were used. Skill-dependent and time-consuming for high-security cylinders. Largely irrelevant in commercial bypass scenarios because the alternatives are faster.

Lock bypass works around the cylinder. Examples: pushing a credit card or plastic shim against an inward-opening door's latch to retract the latch, slipping an under-door tool through the gap between door and floor to manipulate the inside handle, manipulating the latch through a poorly-installed strike plate, bypassing a deadbolt by jimmying the frame. The door opens without the cylinder operating.

Forced entry uses tools and physical force to defeat the door. Pry bars, hammers, drills. Loud, visible, slow, and leaves obvious evidence. Real adversaries rarely choose forced entry unless time-pressure overrides stealth.

In commercial bypass scenarios, the door is almost always the target, not the cylinder. The defender who has invested in a high-security cylinder while the door surrounding it has a quarter-inch gap to the floor and a strike plate held by half-inch screws has invested in the wrong half of the problem.

The most common lock-bypass techniques used against commercial locks

A representative list of techniques that work against standard commercial doors:

• Under-door tools. A flat tool slipped under the door reaches the inside lever or thumb-turn and operates it from outside. Effective against any inward-opening door with a meaningful door-to-floor gap. Time: seconds.
• Latch shimming (loiding). A credit card or plastic shim pressed against the latch retracts it on inward-opening doors without proper latch protection. Time: seconds.
• Plug pulling and cylinder removal. On poorly-installed cylinders, twisting the cylinder hard breaks the retaining hardware and the cylinder rotates free. Time: a minute or two.
• Strike plate manipulation. A weak strike plate, or a strike plate held by half-inch screws into the door frame, can be pried away from the frame or compromised enough that the latch slips out. Time: under a minute.
• Frame manipulation. A gap between the door and the frame, often present on older or poorly-fitted commercial doors, allows a shim or wire to engage the latch from the side. Time: under a minute.
• Bypass of crash bars and exit hardware. Exit hardware designed to allow easy egress is often manipulable from outside through a small gap, a hook tool, or a string under the door. Time: seconds to minutes.
• Bypass of electromagnetic locks. Maglocks rely on a power and a controlled release; pulling the door hard, removing or disabling the maglock, or triggering the release sensor with a heat or motion source defeats the lock. Time: seconds.
• Drop-key or "REX" sensor manipulation. Request-to-exit (REX) motion sensors on the interior side can be triggered from outside through gaps with a wire, a temperature change, or a passive object. The door releases as if someone were exiting. Time: seconds.
• Bypass via accessory holes and openings. Mail slots, package drops, and accessibility cutouts provide reach-through paths to inside hardware. Time: seconds.

The pattern across these techniques: the cylinder is not touched. The door, the frame, the latch, the sensors, the hardware, and the geometry of the installation are where the attack lives.

Why most manufacturing facilities have multiple lock-bypass vulnerabilities

Three reasons drive the prevalence:

1. Doors are installed for fit, not security. Commercial doors in manufacturing facilities are sized for material flow, equipment access, and code compliance. The security-resistance specification is "lockable", not "bypass-resistant". A typical installation prioritizes thresholds that meet code, not the bypass-resistance of the installed hardware.
2. Installation quality varies wildly. A door specified to a high standard, installed by a contractor focused on cost and speed, ends up with quarter-inch gaps, half-inch strike-plate screws, and inward-opening latches without latch guards. The specified resistance and the actual resistance diverge.
3. Maintenance erodes security. Doors warp, seal, and shift over time. Frames settle. Strike plates loosen. Maglocks lose calibration. A door audited in year one with zero gap to the floor has a quarter-inch gap by year five.

Compensating controls are usually the most economical answer. Real-time camera review, door-held-open alarms with escalation, badge-log audit, and (for high-value zones) layered access controls produce more security improvement per dollar than upgrading every door.

Examples of lock-bypass findings in physical assessments

From recurring patterns in ARG engagements:

• Network closet opened with an under-door tool in under a minute. Closet door is hollow-core, inward-opening, half-inch gap to the floor. The cylinder is high-security; the door is not. Under-door tool reaches the interior lever and operates it.
• Server room reached through a frame gap. Door frame has settled, leaving a quarter-inch gap between door and frame at the latch height. A flexible tool slips through and engages the latch directly.
• Exterior side door defeated through the REX sensor. Interior request-to-exit sensor is mounted near the top of the door. A wire pushed through a gap above the door triggers the sensor; the maglock releases. Total time: thirty seconds.
• Conference-room door bypassed with a credit card. Inward-opening, no latch guard, soft strike plate. A credit card retracts the latch from the side.
• Maintenance shop opened by removing the cylinder. Cylinder set screw is loose; twisting the cylinder with pliers retains it as a unit. The plug rotates with the cylinder and operates the lock. Total time: about a minute.
• Drop-bar latch manipulated through mail-slot. A small accessory opening provides reach-through access to an interior handle.
• Crash-bar exit defeated with a string. A string with a hooked end is slipped through a gap, hooks the exit-bar pad, and pulls it. The door releases as if someone exited normally.

Each finding is documented with the technique, the time required, and the door's specific construction. Remediation depends on the door, not on the lock.

How to test your own locks without specialist tools

Three checks any facility manager can run without specialist tooling:

1. Gap check. Hold a piece of letter-size paper against the door at the latch height. If the paper slides past the latch with the door closed and locked, the door is shimable. Apply the same test along the frame and at the floor gap.

2. Strike plate check. Look at the strike plate. Half-inch screws into the door jamb are commonly seen and easily defeated. Three-inch screws that reach the structural framing behind the jamb are required for meaningful resistance.

3. Cylinder check. Press the cylinder firmly with thumb. If it moves, the retaining hardware is loose. A loose cylinder is removable.

These are not exhaustive checks, but they identify the most common installation-quality failures at zero cost. A facility with several doors failing one of the three checks has a remediation list that does not require specialist consulting; it requires a maintenance work order.

Best practices for choosing locks that resist bypass

The right approach is to specify the door system, not just the lock.

1. Solid-core or steel doors at controlled entries. Hollow-core doors are inappropriate for any controlled area regardless of lock quality.
2. Latch protection. Latch guards covering the gap between door and frame defeat shim attacks. Required at any inward-opening door.
3. Three-inch strike plate screws. Reaching into the structural framing behind the jamb. The single highest-impact, lowest-cost upgrade in most facilities.
4. Floor gap under a quarter inch. Eliminates the under-door tool category. Often requires door weather seal or threshold adjustment as the building settles over time.
5. Latch guard, deadbolt, and frame reinforcement at high-value doors. Network closets, server rooms, control rooms, and engineering offices justify the upgrade.
6. REX sensor placement that prevents reach-through. Sensors mounted away from gaps and small openings, with anti-tamper features.
7. Maglock installations with proper anti-defeat features. Tamper-resistant mounting, redundant sensors, and pull-resistance ratings appropriate for the door size.
8. High-security cylinders only at zones with corresponding door upgrades. Investing in the cylinder while leaving the door weak misallocates budget.
9. Compensating controls. Real-time camera coverage, door-held-open alarms with escalation, and badge logs that flag anomalous entries. Compensating controls shorten time to detection when bypass occurs.
10. Periodic re-audit. Buildings settle; hardware loosens; gaps appear. The audit that passed in year one needs to repeat.

For OT-adjacent doors (engineering, control rooms, network closets connecting to plant systems), the resistance requirement is higher because the consequence of bypass is larger. See What is operational technology (OT) security?.

Lock bypass FAQs

Is lock picking the same as lock bypass?

No. Lock picking manipulates the lock cylinder directly to operate the lock as if the correct key were used. Lock bypass works around the cylinder, exploiting weaknesses in the door, frame, latch, or surrounding hardware to open the door without operating the lock at all. In commercial environments, bypass is usually faster, quieter, and lower-skill than picking.

Do high-security locks really resist bypass?

High-security cylinders (Medeco, Mul-T-Lock, ASSA, BiLock) resist picking and cylinder attacks well. They do not, on their own, resist door, frame, or latch bypass. A high-security lock in a hollow-core door with a poorly-installed strike plate is easier to defeat through the door than through the cylinder. Lock security and door security are two separate problems.

How long does it take to bypass a standard commercial lock?

For common bypass techniques against standard commercial doors, often seconds to a minute. Under-door tools, latch shimming with a credit card or plastic shim, and bypass of inward-opening doors with a wedge or shim against the latch are fast and quiet. Forced entry takes longer and produces noise and visible damage; bypass usually does neither.

Does video surveillance compensate for weak locks?

Only if someone watches it in real time, or reviews it fast enough to matter. Recorded video of a bypass event is evidence after the fact; it is not a deterrent if the attacker knows the cameras are not actively monitored. Compensating controls work when they shorten time to detection; recording without review does not.

How ARG tests lock and door-hardware resilience

Lock and door-hardware testing is part of ARG physical engagements where the rules of engagement permit it. The test is conducted by David Ashby during on-site engagement weeks, against authorized doors that protect high-value zones (network closets, server rooms, engineering offices, control rooms, document storage).

The test is documented, not destructive. Bypass attempts are made with tools that do not damage the door or the hardware; force-based techniques are out of scope. The point is to demonstrate exploitability, not to actually breach. Successful bypasses are documented with the technique used, the time required, the specific door construction, and photos of the door and hardware that show the weakness.

Findings consolidate into the engagement report alongside the physical security audit, tailgating, badge cloning, and pretexting findings. Where bypass succeeds, the remediation recommendation is specific to the door: latch guard installation, strike-plate upgrade, gap reduction, or door replacement. Compensating controls are recommended where door replacement is impractical short-term.

Re-engagement on a one- or two-year cadence re-tests previously bypassed doors. Findings either stay closed or surface as drift; settling, wear, and maintenance gaps produce recurring patterns the audit catches before an adversary does.

Apply as a founding client or see how the engagement works for the full delivery cycle.