What is physical penetration testing?

Key takeaways

• Physical penetration testing measures what facility security controls actually do under contact, not what the procedures say they do.
• The engagement is objective-driven: reach a designated room, plug into a designated network port, photograph a designated asset, walk out with a designated item.
• For manufacturers, the failure modes are usually procedural (gate staffing, delivery flow, visitor management), not technical (locks, badges, cameras).
• Done well, the engagement produces evidence with chain of custody: photos, timestamps, badge logs, video frames, and the route walked.
• Physical testing pairs naturally with adversarial simulation of the digital and human surfaces; on its own it is half the picture.

What does a physical penetration test actually involve?

A physical penetration test is a focused exercise: a credentialed operator attempts to defeat the facility's security controls in the specific ways an unauthorized visitor would, and document what happened.

The work is more procedural than it sounds. The reality of mid-market manufacturer facilities is that lock-picking, RFID cloning, and bypass-tool work matter less than understanding the operational rhythm of the site and where the rhythm creates a gap. Most successful entries are not technical defeats; they are well-timed pretexts that ride the normal flow of the day.

A typical engagement covers five surfaces:

1. Perimeter and gate. Driveway, gate house, delivery entrance, employee entrance, visitor entrance. Where is staffing thickest, where is it thinnest, when does each entrance change posture.
2. Lobby and reception. Visitor management process, badge issuance, escort policy, sign-in logging, and what happens during shift change or breaks.
3. Interior controlled areas. Access-controlled doors between zones, mantraps, turnstiles, and any zone where badge access switches from "Authenticated Employees" to "Authenticated and Authorized for This Area".
4. Sensitive rooms. Network closets, server rooms, engineering offices, control rooms, document storage. The destinations of the engagement.
5. Exits. Where can a person leave with documents, hardware, or media. Loss-prevention surface, often the least-watched zone.

Each surface has procedural defenses (workflow, staffing, training) and technical defenses (locks, badges, cameras, sensors). The engagement tests both.

Phases of a physical pen test: reconnaissance, entry, objectives, reporting

A full engagement runs in four phases.

1. Reconnaissance. Open-source first: satellite imagery, street-view photos, public planning documents, building permits, trade-show appearances by company personnel, vendor case studies that name suppliers, job postings that disclose technology and security tooling. Then site observation: legal, low-profile visits to the surrounding area to watch the operational rhythm. Where do employees enter, what time does the day shift hand over to swing shift, when does waste pickup happen, what is delivered when, who is the regular UPS or FedEx driver, what is the smoking-area routine, where are the doors propped open. See What is OSINT (open-source intelligence)?.

2. Pretext and infrastructure. Pretexts designed for the specific facility: a vendor technician for a known supplier, an inspector during a known compliance window, a delivery driver with a fabricated routing slip, an electrician for a known panel-work project. Apparel, identification, paperwork, and (where appropriate) a magnetic vehicle sign matched to the pretext. See What is pretexting?.

3. Entry and objectives. Active testing on site. Tailgating attempts, badge cloning where feasible (What is badge cloning?), pretext entries at primary and secondary doors, lock work where authorized (What is lock bypass?). Once inside, navigate to objectives: a network closet for a port-drop test, a control room for a workstation-photograph test, an executive office for a document-recovery test. Every step is timestamped and photographed where possible.

4. Reporting and debrief. Written report with the attack chain narrated end to end: where the tester entered, when, what worked, what was challenged, what was missed. Photos and video frames as evidence. Findings mapped to specific procedural and technical controls. Remediation prioritized by exploitability and business impact. Final debrief with the executive sponsor and the security or facility lead.

Why mid-market manufacturers need physical penetration testing more than enterprises

Three structural reasons that drive ARG's focus on this market segment:

1. High-value physical assets in proximity to public access. Engineering workstations, control rooms, CAD repositories on workstation drives, paper documents in engineering files, and network closets within minutes of an unattended door. The blast radius of a single successful entry is large.
2. Operational rhythm creates predictable gaps. Shift change, delivery windows, vendor visit days, and break periods all create staffing thinness at specific times. The gaps are knowable from outside the facility because the rhythm is visible in the parking lot. An attacker watching for two days learns the schedule.
3. Underdeveloped on-site security programs. Enterprises invest in facility security as a discipline; mid-market manufacturers usually treat it as a delegated subset of operations or HR. Visitor management policies exist on paper, but execution is informal. The gap between the policy and the practice is the testable surface.

For a manufacturer whose security program to date has focused on email, endpoint, and compliance documentation, the first physical pen test typically produces the largest cluster of high-impact findings the organization has ever received. Most of them are workflow, not technology.

Examples of physical pen test findings on manufacturing sites

Patterns ARG sees repeatedly during on-site engagements:

• Tailgating during morning delivery window. A pretexted vendor technician arrives during the 6:30 to 8:00 delivery rush in branded apparel and a magnetic vehicle sign. The gate waves through; the lobby is busy; the technician reaches an engineering network closet within twelve minutes. See What is tailgating (piggybacking)?.
• Inspector pretext during a known certification window. During an ISO or audit period (visible from the company's own marketing), a pretexted external inspector with a credible badge and clipboard is escorted by reception through several controlled areas. Photographs taken of network closets, IDF cabinets, and control rooms.
• Badge cloning from a public parking lot or restaurant. A weekend or lunch session in a public space nearby is sufficient to clone HID Prox credentials at conversational distance. Cloned credentials grant unescorted access during business hours.
• Network port drop in an unattended conference room. A pretexted contractor sits in a "reserved" conference room, plugs a small device into the network port, and works on a laptop for two hours. The device establishes outbound C2 to an attacker-controlled endpoint.
• Document recovery from an executive office. Doors are unlocked during business hours; offices are unoccupied during lunch and meetings. Printed documents (financial statements, employment letters, customer contracts) sit on desks.
• Smoking-area or break-area access. Employees prop the door open. The propped door is the entire perimeter for that period.
• Side or back door without active monitoring. Cameras present but not watched; door alarms set to chime locally but not alert. Off-hours entry succeeds without anyone responding.

Each finding has a specific procedural remediation. None of them require new technology.

How to scope a physical penetration test for a multi-building facility

Scoping decisions determine whether the engagement produces actionable findings or theater.

1. Define objectives, not target lists. "Reach a network closet", "photograph an HMI in the control room", "drop a network device", "exfiltrate a sample CAD drawing", "walk an executive's laptop out the door". Each objective tests a specific combination of controls.
2. Decide which buildings are in scope. Multi-facility engagements take longer and produce more findings. For first engagements, scope to a single facility; for re-tests, prioritize facilities with the highest-value assets or the largest changes since the prior engagement.
3. Set rules of engagement explicitly. Authorized hours (overnight or business hours), authorized techniques (lock bypass, badge cloning, force, social engineering), prohibited techniques (anything causing damage, anything touching OT or safety systems), and the response if a tester is detained.
4. Identify trusted agents. Three to four people inside the organization who know the engagement is happening: executive sponsor, head of security, head of facilities, and a technical contact. Larger lists leak.
5. Coordinate with law enforcement context. For larger facilities or sensitive industries, brief local law enforcement in writing through the executive sponsor. The brief sits on file; the front-line patrol does not get the heads-up.
6. Plan the safety net. A 24-hour contact path for testers who get into trouble. A get-out-of-jail letter the tester carries. A second tester or remote partner monitoring the engagement.
7. Allow for staged escalation. Start with low-impact entry attempts and escalate techniques only as needed. The engagement does not need to defeat every control; it needs to demonstrate which controls are exploitable, then move on.

Best practices for safe and effective physical pen testing

1. Signed authorization from someone with the authority to grant it. The executive sponsor must have the legal authority over the facility. A signed engagement letter plus a get-out-of-jail letter is the minimum.
2. Two-person teams for sensitive engagements. A partner monitors the engagement remotely, holds the contact line, and triggers the escalation if needed. Solo on-site work is acceptable for short low-risk testing; sensitive objectives require the second person.
3. Operational discipline matching the pretext. The pretext succeeds because the operator believes it and behaves accordingly: posture, language, paperwork, vehicle, apparel. Operator inconsistency is what gets pretexts surfaced.
4. Chain of custody on evidence. Photographs with EXIF data, video frames with timestamps, contemporaneous notes. The evidence has to hold up to a hostile reader: an underwriter, a board member, a regulator.
5. Respect staff dignity. When pretexts are surfaced or testers are detained, the response to the surfacing staff member is informational, not punitive. The opposite frame corrodes the program.
6. No production OT interaction. Engineering workstations, HMIs, and engineering files are reachable surfaces; interacting with live OT control logic is out of scope without paired safety controls. See What is operational technology (OT) security?.
7. Documented escalation path. When something unexpected happens (a tester is detained, law enforcement responds, an injury occurs), the contact path resolves within minutes, not hours.
8. Brief the response after, not before, the engagement. The debrief is a learning event, not a public-relations exercise. The staff who were tested learn what happened and why.

Physical penetration testing FAQs

Is physical penetration testing legal?

Yes, when conducted under written authorization from someone with the legal authority to grant access to the facility. The standard practice is a signed engagement agreement plus a get-out-of-jail letter the tester carries on site, naming the authorizing executive and a 24-hour contact number. Without written authorization, the same activity is trespass.

Do testers carry a "get out of jail" letter?

Yes. The letter, signed by the executive sponsor, identifies the bearer, names the engagement, lists the testing window, and includes the sponsor's direct contact number. If the tester is detained by facility security or law enforcement, the letter is the evidence of authorization. The letter is the single most important physical-engagement document.

How long does a physical pen test take?

Typically two to four weeks end to end for a single-facility engagement. Reconnaissance runs one to two weeks (some on site, some remote), active testing one to two weeks on site, and reporting and debrief one week after. Multi-building or multi-facility engagements run longer.

Should security guards and front-desk staff know in advance?

Usually not. The whole point is to test how the controls actually perform against an unauthorized entry attempt. A small list of trusted agents inside the organization (usually three or four people including the executive sponsor and a technical contact) holds the rules of engagement and the get-out-of-jail letter. Front-line staff are the test population, not the test designers.

How ARG runs physical penetration tests as part of the founding-year engagement

Physical penetration testing is the on-site anchor of ARG's engagement model. It runs during the first-year engagement and on a recurring two-year cycle thereafter, paired with the continuous adversarial simulation that runs in the digital and human channels between on-site visits.

The on-site work is delivered by David Ashby, drawing on a manufacturing background at Quality Electrical Systems. The operator is credible on a plant floor because the operator has worked on a plant floor: the language, the apparel, the gait, the understanding of shift dynamics and vendor flow. Physical reconnaissance, gate observation, pretext entries, network closet identification, badge work where authorized (What is badge cloning?), and on-site vishing during the engagement week are all conducted by the same operator the client meets in the first sales conversation.

The findings consolidate into the broader engagement report. Physical findings sit alongside the continuous penetration testing, phishing simulation, and vishing findings from the same engagement window. Remediation is prioritized as one backlog, not three. The next on-site visit re-tests the closed paths and surfaces what has changed.

For founding clients, the physical engagement is part of the first-year fee. Subsequent on-site engagements (annual or biennial depending on cadence) are scoped against the continuous layer's findings and priced based on documented improvement.

Apply as a founding client or see how the engagement works for the full delivery cycle.