Author Bio ▼

IFSEC Insider, formerly IFSEC Global, is the leading online community and news platform for security and fire safety professionals.
November 15, 2023


Lithium-Ion batteries. A guide to the fire risk that isn’t going away but can be managed

physical penetration testing

The what and why of physical penetration testing

IFSEC Insider hears from Mike O’Neill, Managing Director at Optimal Risk Group, who provides guidance to the approach and security planning of Physical Penetration Testing (PPT), along with debriefing clients on its results.

How much money does your organisation spend on physical security and raising staff awareness? How effective is it? Why do you spend this money?

Mike O’Neill, Managing Director at Optimal Risk Group

Let’s start with the last one. You want to ensure access to your building is only available to staff, invited visitors and approved contractors. The risks posed by unauthorised visitors, or ‘threat actors’, gaining physical access to your or a client’s premises are varied, but include:

  • Theft: Opportunist theft of assets or staff property;
  • Bugging: Placing listening devices in sensitive locations to overhear and obtain private or confidential information.
  • Cyber-Attack: Dropping malware infected flash drives or obtaining physical access to IT networks to plant malware which can be exploited by external hackers.
  • Targeted Activism: Single-issue activist groups using business premises to bring publicity to their cause and embarrass the organisation by causing damage, painting slogans or hanging banners on buildings.

Many corporate security personnel we speak to are wary about running a PPT on their premises as they fear the results. However, we find that the results of a well-planned PPT programme are valued highly as they represent a “real world” test of the organisation’s security stance.

The structured approach to PPT that Optimal Risk Group (ORG) have developed is explained here:

Client Engagement

In order to maintain confidentiality, we try to limit the number of client personnel who know what is happening to two or three. We engage with a detailed questionnaire to provide the client with as much knowledge of our team’s capability as possible, so that we can agree the scope of the PPT. Part of this process is to define the organisation’s most common or likely threat actors so that the team can replicate their capabilities, behaviours and attacks realistically.

Open Source Research

Credit: Andrea Danti, Alamy

Our researchers will start gathering data about the organisation and its staff. This includes publicly available material from social media and other sources available to hostile actors. This information is collated to identify potential vulnerabilities, areas for reconnaissance and potential pretext approaches for use during the penetration testing phase. Social engineering may also be used to solicit more useful information.


The reconnaissance phase is used to develop more information about potential vulnerabilities identified during the research phase as well as identify other vulnerabilities such as busy times and even smokers propping open fire doors. This phase is critical to develop an understanding of how the building operates at all times of day, night and weekends. We also seek to understand how visitors, deliveries and contractors are handled, and whether they too can be exploited.


The research and subsequent reconnaissance will provide us with the information to develop the different approaches we will take. This will include various pretexts, possibly physical scaling of walls and fences or, in some cases, defeat of security systems. This will then decide the final composition of the testing team. We also work in tandem with IT penetration testing teams to see if physical access to the network can allow devices to be planted and allow external exploitation or exfiltration.

Infiltration Tests

The planned tests will take place at different times and are not just focussed on gaining access. At the same time, we also look to access key assets within the organisation. This can involve viewing unlocked computers, entering unlocked server rooms, reading or copying confidential documents left in meeting rooms, or even wheeling out bins for document shredding.

Client Report

Detailed debriefs will be conducted after each penetration attempt. All notes and imagery will be collated to support the preparation of the final report and, once all penetration tests are complete, a detailed report will be compiled.

The report will be balanced and identify good practice and performance of controls as well as the areas where they failed or were lacking.  All identified weaknesses will be highlighted even if this did not result in successfully gaining entry.

Where access is gained, the methods used and the vulnerabilities exploited will be detailed along with any imagery or other evidence obtained.

Where appropriate we will offer recommendations for improvements to physical security, processes and ideas for raising staff security awareness.

Closing Remarks

Our experience has shown how seemingly well-secured premises can still be vulnerable to security breaches due to small and unnoticed gaps in the infrastructure’s security plan. By testing your resilience, PPT can play a pivotal role in the safety and security of the organisation’s people, buildings, assets, and reputation.

Keep up with the access control market

The physical access control market is moving fast. Find out where you stand with the latest edition of IFSEC Insider's comprehensive 2022 State of Physical Access Control trend report, covering all the latest developments within the market. We assess the current technology in use, upgrade plans and challenges, and major trends on the horizon after receiving the views of over 1000 security, facilities and IT professionals.

Get your copy for free today.

Related Topics