Physical Penetration Testing Methodology

Get a Quote in 24 hours

Learn more about our methodology and the steps used in our physical security penetration testing engagements.

RedTeam Security's Physical Penetration Testing Methodology

RedTeam’s physical penetration testing methodology is comprised of several phases.  Each penetration test is conducted consistently using globally accepted and industry-standard frameworks. At a minimum, the RedTeam’s physical penetration tests underlying framework is based on the NIST Special Publication 800 Series guidance and OSSTMM.

RedTeam’s expert pentesters will carefully examine both your physical surroundings and internal environment to identify potential security vulnerabilities. We’ll also spot any potential weaknesses that may exist in your established security controls so you can employ additional countermeasures.

Physical Penetration Testing Steps

The steps of a penetration test performed by RedTeam Security on your physical location are pretty straightforward. We take a meticulous approach to ensure nothing is overlooked. Every security detail is accounted for – you can be certain attackers will be exploring everything from your locks to peeping in your windows. They’re not above dumpster diving for information that can help them achieve their malicious goals. We get into an attacker’s mindset as we cover all angles throughout our penetration testing phases using the following steps in our methodology.

Information Gathering/OSINT

As with other types of penetration testing, the first phase in a physical penetration test is to focus on gathering as much information as possible about the target locations. This Is one of the most critical steps in our pen testing processes because it helps us to examine your organization from the perspective of a “bad guy” and enables us to see everything an attacker would be by utilizing public tools, such as Google Earth, social media, and job boards. Using this approach, it is usually possible to learn a great deal about the target’s (in this case, your facility’s) surroundings and environment.

Once we’ve gathered knowledge and intel about your facility, we turn our eye to a step we call Open Source Intelligence (OSINT). Open Source Intelligence gathering can be quite telling about a target, its people, and specifics about the physical environment. To accomplish this step, we utilize a different set of public tools, including social networks and job boards, to name just two.

The depth of this phase will vary based on the specific engagement. In some cases, the client will provide much of the information needed to create the RedTeam Operations Plan (i.e., vendors used, photographs of the locations, floorplans, front desk procedures, dress codes, a photo of badge, security systems in place).

Active Reconnaissance/Covert Observation

The Active Reconnaissance phase of physical penetration testing involves gathering information that can be found offline.  Depending on the engagement, RedTeam may engage in social engineering activities to obtain information not publicly found or learn details that are impossible to find online.

This phase will also involve Covert Observation, visiting each location, and taking photos that help to document where we can bypass existing barriers or gain access to unsecured ones. We will also observe dress codes, identify where the staff takes breaks, any doors that may be left open, physical security controls like security cameras and equipment, security guard behavior, and front desk procedures.  Access badges may also be cloned.  This information will be used to establish the plan of attack.

Attack Planning & Pretexting

Intelligence gathered through the previous steps is combined into a Red Team Operations Plan (RTOP). The RTOP includes creating a Pretext (the story being used if social engineering techniques are being leveraged), the targets and goals, estimated timings for execution, key information learned about the locations, and the equipment that may be needed. Once the plan is approved, equipment will be prepared, and the “get out of jail” letter will be printed in preparation for execution.

Actions on Objective/Exploitation & Post-Exploitation

This is where the team executes the attack that was outlined in the RedTeam Operations Plan (RTOP).  This may include leveraging a copied access card, tailgating into a location, bypassing door locks and security alarms, leveraging social engineering practices or other agreed-upon methods to accomplish the goal in each location.  Different actions may be taken at the same location at different times of the day. Once RedTeam Security gains access to a location, the agreed-upon post-exploitation activities are executed, and evidence is gathered.


By combining the results of the information gathering, OSINT, attack planning/pretexting, and execution into a comprehensive report that includes a summary of the steps taken, evidence, observations, and recommendations, a plan can be developed from this report to reduce any risks going forward.



In order to perform a comprehensive real-world assessment, RedTeam Security’s penetration testers utilize commercial tools, internally developed tools, and the same tools that bad actors use on each physical penetration test. Once again, our intent is to assess security by simulating a real-world attack, and we leverage the many tools at our disposal to effectively carry out that task.

Schedule a Free Consultation With Cyber Security Expert Today

When planning your cybersecurity and security testing strategies, while securing your tech is vital, it’s important to think beyond computer systems, malware attacks, firewalls, wireless networks, web applications, mobile applications, and other digital security weaknesses. Ensuring that your physical security is the best it can be is an essential part of increasing security awareness and improving your security posture.

RedTeam Security’s expert staff is highly skilled at performing physical pen tests. Our robust processes will ensure your facility’s physical security is intact. RedTeam Security’s security professionals will work diligently to identify any potential vulnerabilities within your organization’s walls to make certain everyone working or associated with your organization isn’t inadvertently falling for classic social engineering ruses or giving out sensitive information or unpublished data or materials. Are you ready to beef up your physical security? Schedule your free virtual meeting with a RedTeam Security expert today at 612-234-7848.

Why work with RedTeam

Services Datasheet

Learn more about RedTeam Security’s advanced Application, Network and Physical Penetration Testing, Social Engineering and Red Teaming services.

Services Datasheet