Physical Penetration Testing: Methods & More

In a physical penetration test, an organization hires security professionals to rigorously vet their physical security controls, including doors, locks, cameras, and access control systems. Over the course of the test, the pen testers will simulate actual intrusion attempts via techniques such as lockpicking and social engineering.

Once the scope of the test has been defined, the pen testers will begin by mapping the perimeter, paying special attention to any entry points that could be bypassed. They’ll examine the premises up close and from a distance, using telephotography to examine the perimeter and glean information.

As they work, the pen testers will document any vulnerabilities they come across – and then they will attempt to exploit them. In the course of the pen test, they’ll attempt to bypass locks via techniques such as lockpicking and RFID cloning. They may also attempt social engineering techniques, such as tailgating and impersonation, to gain entrance. In some pen tests, they might even try breaking down doors and windows.

Moving past the perimeter, physical pen testers will continue to seek out vulnerabilities inside the building. That might entail looking for sensitive information stored in plain sight, or stored insecurely, as well as testing access control systems and physical network hardware.

At the end of the test, the pen testers draw up a report detailing the vulnerabilities they identified and exploited, alongside severity scores and recommendations. With this report in hand, the organization can proceed to shore up their physical security.

You can’t be sure of your physical security unless you test it. And simply checking to see if your locks and cameras ‘work’ is not quite enough; if you really want to be certain, you need a professional to seriously attempt to break in. That’s where physical pen testing comes in.

Physical Penetration Testing Methods

Mapping the Perimeter

Physical pen testers often start by mapping the perimeter, paying special attention to entrances, such as doors, windows, gates, and any other access points to physical structures and to the property as a whole. They’ll keep an eye out for unsecured entrances and other vulnerabilities. For instance, they might note a window that’s locked, but unalarmed and blocked from cameras, on their list of security vulnerabilities.

As they work, the testers will keep an eye out for perimeter security systems, such as lighting, cameras, and motion detection systems. If guards patrol the perimeter, the testers will often map out their patrol routes, like a real-world criminal casing the joint.


As part of the process, the pen testers will deploy telephotography to examine and document the premises from a distance. They will often try to capture images of the interior as well. You might be surprised at how much someone can learn with the right camera scope, especially if they’re examining a modern office building with a glass exterior. They might be able to take pictures of computer screens, or capture an employee entering their PIN into a door, both of which would present major security issues.

Dumpster Diving

Dumpster diving involves searching through a building’s trash to discover information someone might leverage against the company. Various documents, statements, or invoices may contain details a would-be attacker could leverage to access facilities. For example, they might discover the identity of a trusted service provider, giving them a potential disguise they could then use to enter the building.

The best way to protect against this attack vector is to shred, burn, or otherwise destroy any sensitive documents. Your data destruction policy should include hard drives as well, which can be overwritten, degaussed, or even physically shredded to keep data from falling into the wrong hands.


Moving beyond the reconnaissance phase, pen testers will test the building’s perimeter security in earnest – and lockpicking is one of the most common methods they’ll try. Mechanical locks have changed little over the years, and they remain vulnerable to an adept lockpick.

Many businesses use magnetic locks, which are much more resistant to. But magnetic locks only function as long as they have power, making a backup power source essential.

Pen testers might also clone RFID cards to bypass scanners. It’ll be much harder for them to get past multifactor authentication: a combination of key fobs and PIN codes offers much stronger security than either method on its own.


In a tailgating attack, an unauthorized individual tags along behind an authorized individual as they pass through a secured door. Pen testers will often attempt this method, sometimes using a degree of social engineering: they might slip through in the guise of a maintenance contractor or delivery person, for instance. Especially if their hands are full, many employees will hold a door open out of common courtesy.

Social Engineering

Tailgating is one example of a social engineering attack, in which an attacker (or in this case, a pen tester) uses deceptive tactics to gain entry. Pen testers might also deploy other social engineering tactics, such as disguising themselves, lying about their reasons for being on-site, or faking a phone call to the receptionist.

Shoulder Surfing

In a shoulder surfing attack, an attacker looks over an employee’s shoulder as they log into their computer or review sensitive data. Once inside a building, pen testers might see what they can discover            just by keeping their eyes open. This often involves a degree of social engineering, as the pen tester will pretend to be a janitor or other co-worker, so as not to arouse suspicion.

Test Fire Systems

Physical pen testers will also test fire systems, keeping an eye out for two main risks. For one, they want to ensure the fire systems will properly handle a fire, so that critical systems or data won’t be damaged in such an event.

Fire systems can also create opportunities for intruders. Pulling a fire alarm will often disengage door security, which could allow intruders to more easily enter or move around within a building. Employees leaving in a hurry might not secure sensitive areas or information, giving an unauthorized person access.

Test Cooling Systems

Cooling systems can pose risks similar to fire systems. Cooling is necessary to prevent server rooms from overheating, as too much heat can cause server shutdowns. Intruders can also leverage cooling systems to alter security protocols.

Network Jack Testing

Network jacks that are operational but not actively in use create potential entry points for intruders. Pen testers may attempt to connect devices to open network jacks to see if they can exploit the connection. Typically, network jacks in highly accessible areas, such as reception or conference rooms, are the most vulnerable. However, any active jack not in use is a potential attack vector.

Breaking Down Doors

While many of the options above are relatively subtle, some physical penetration tests go as far as to physically compromise entry points. Drilling out locks, breaking windows, kicking in doors, or similar steps are potentially usable, but they aren’t widely adopted for pen testing since they leave an area vulnerable and incur repair costs.

Any decent pen tester will still examine facilities with these methods in mind. In their reports, they may note whether any specific doors, windows, or locks are logical targets for actual intruders, giving the company valuable insights.

Physical Penetration Test Process: Step-by-Step

Step 1: Prepare for the Test

No penetration test can begin unless all parties involved are clear on the scope of the test and the rules of engagement, with a formal statement of work outlining how the test will proceed.

The scope determines what systems will be tested, and what measures will be permitted. In a physical pen test, the scope usually pertains to a specific building or property. Within that, the scope can vary, and some tests may or may not include attack vectors such as social engineering or breaking down doors.

Official documents authorizing the activities protect the penetration tester from legal ramifications. Without them, a pen tester could get arrested and even convicted if mistaken for a genuine intruder. For their sake, the pen testers will keep this paperwork handy as they conduct the test.

Pen testers also need a dedicated point of contact who can intervene if the situation escalates. The pen tester is playing the role of an intruder, and in a typical pen test, most employees will not be informed that a test is being conducted. Should an employee identify them as a threat, the dedicated point-of-contact will step in to de-escalate the situation as needed.

Finally, it’s best to inform local law enforcement of the upcoming exercise. You don’t want the police getting called in over a pen test, which is why you should inform them up front.

Step 2: Conduct Reconnaissance

Once everyone’s ready to begin, the pen testers will start by gathering information. They’ll map the perimeter, keeping an eye out for entrances, windows, cameras, and other security systems. They may also attempt dumpster diving or social engineering attacks in search of information such as access codes that will help them gain entrance.

As they work, the pen testers will document any vulnerabilities they discover, and draw up attack plans to exploit those vulnerabilities.

Step 3: Execute the Attack Plan

After gathering information, the pen tester will start testing the physical security mechanisms outlined in the statement of work. The techniques they range from lockpicking to breaking down doors to social engineering attacks – it all depends on the security measures being tested.

Step 4: Create the Report

Once execution has finished, the pen testers will draw up a report detailing the scope of the test, the steps they took, and, most importantly, any vulnerabilities they uncovered and successfully exploited.

Step 5: Remediation

With the report in hand, the organization can use it to address any vulnerabilities the test revealed. The point of the test is to learn about weaknesses so the company can strengthen its physical security, making it more difficult for intruders to gain entry in the future.

Step 6: Retesting

Organizations should retest any security improvements they made, so as to ensure those measures actually work to protect the premises. If the company substantially overhauled its physical security systems, it may make sense to conduct a new pen test from scratch.

Physical Penetration Testing Tools

Physical penetration testing tools are typically designed to either assist with information gathering or allow pen testers to navigate secure areas. These include:

  • Binoculars
  • Cameras
  • Glass Breakers
  • Lockpicks
  • Network Cables
  • Night Vision Goggles
  • Prybars
  • RFID Readers
  • USB Hubs
  • Wireless Access Points

If a physical penetration tester plans to pretend to be another party, they may create fake identification or use costuming. Many pen testers also use radios to communicate with designated points of contact during the exercise.

Cost of Physical Penetration Testing

Costs can vary widely, depending on the scope of the test and the risk pen testers will be exposed to. It’s essential in this case to hire a third party; existing employees are not well-suited to check for certain issues, such as tailgating and other social engineering attacks.

On the low-end, physical penetration testing will typically cost around $5,000. However, the total cost could reach or exceed $20,000 if the test is complex or has a high degree of risk.

How Long Physical Penetration Testing Takes

Physical penetration tests usually take two to six weeks, though some tests might take longer. A few days are dedicated to preparation steps, and reconnaissance may take several days or weeks to complete.

The intrusion simulation part of physical penetration testing typically lasts one to three days. However, if multiple locations are involved, you can assume the test will take one to three days per site.

Finally, generating the associated reports can take time. Precisely how long depends on the complexity of the test, but most will require several days of work following the test.

For more information, see our complete guide to the different types of penetration test.

About the Author

Find Michael on LinkedIn

Michael X. Heiligenstein

Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. He has six years of experience in online publishing and marketing. Before founding the Firewall Times, he was Vice President of SEO at Fit Small Business, a website devoted to helping small business owners. He graduated from the University of Virginia with a degree in English and History.