Physical Security Assessment

The strongest vault door in the world is pointless if it is propped open for the delivery driver. Most security thinking quietly assumes the attacker is somewhere on the internet, but physical access is an attack vector too - and once someone is sitting at a desk inside your office, or holding one of your devices, a great deal of your carefully built digital security is moot. Our Physical Security Assessment tests whether an attacker can gain physical access to your premises, your equipment, and ultimately your network. It is offensive security at its most tangible, and it consistently reveals gaps that no amount of technical hardening would have caught. It is also the strongest possible complement to a Red Teaming engagement, for which physical entry can be the route to initial access.

Getting In

With your authorisation and under carefully agreed Rules of Engagement, we attempt to enter your premises as a determined intruder would. There are a number of ways in which an attacker could get in, and which we can test.

  • Tailgating. Following behind a legitimate employee through a controlled door remains one of the most reliable techniques in existence, and we test it directly.
  • Pretext-based entry. If an individual in a high-visibility jacket arrived at your premises claiming to be doing maintenance work, would your staff admit them? Our operators can arrive on your premises, present a plausible reason to be admitted, and test how your staff react.
  • Physical lockpicking. Locks remain the most common way doors, cabinets, and other secure environments are protected when staff are not present, yet lockpicking is in fact generally quite straightforward.
  • RFID spoofing. Electronic badges, cards, and key fobs are ubiquitous in modern physical access control systems, yet most of these systems can be spoofed by anyone listening in through radio through tools like Flipper Zero. This connects with our Wireless Security Assessment, which focuses on the testing of radio-frequency communication systems.

What That Access Yields

Once inside, we assess what physical access actually grants, because the door is only the beginning. Unattended and unlocked workstations, network ports in reception or meeting rooms that hand out direct access to internal networks, unsecured server rooms, and sensitive documents left visible or recoverable from bins are all common and all serious. Where in scope, we test whether a dropped or planted USB device finds its way into a machine, and whether physical access to a device defeats its disk encryption and login controls - a concern that connects directly to our Workstation Security Assessment.

Conducted With Discretion And Authority

A physical engagement carries its own risks, so we manage it with corresponding rigour. Every operator carries a signed authorisation letter naming the engagement and the people to contact, and we agree clear safety boundaries and abort conditions in advance, because no test is worth a genuine confrontation. We can run the work covertly, to measure how far a determined intruder gets before anyone intervenes, or overtly alongside your facilities team, to audit controls collaboratively - the former more realistic, the latter less disruptive. For organisations in shared or serviced premises, we pay particular attention to the assumptions made about communal areas, which are frequently far less controlled than the tenant believes.

What You Receive

You receive a report narrating how we approached, entered, and exploited access, illustrated where appropriate, with layered recommendations across access control, staff awareness, and the physical protection of equipment and network infrastructure. We treat your staff with respect throughout - an employee who lets us tailgate has been failed by a process, not personally, and our reporting reflects that.

Physical Security Liability

Testing of physical access faces unique legal liability concerns. Shellhex only conducts security tests within the bounds of compliance with all applicable UK laws and regulations, and as such, we will need to conduct legal review of any particular physical testing methodology before we can proceed with it. No statements on this page are to be taken as guarantees of our ability to conduct specific testing strategies, merely suggestions about possible strategies to explore. Nevertheless, physical security testing is a legitimate industry that existing security providers sometimes offer, and wherever possible, Shellhex does as well.