Share on:
What really happens when someone walks in. You can write a hundred-page policy on physical security. You can buy badges, cameras, and visitor management software. None of that tells you whether a stranger in a high-visibility vest, carrying a clipboard and a plausible story, will be stopped at your reception on a Wednesday morning. We find out. Real access attempts, real observation, real evidence — delivered with full transparency and zero operational disruption.
Preparation and open-source reconnaissance. We start where adversaries start, with what is already public. Corporate videos on YouTube. LinkedIn posts that reveal workstations. Social media reels with live screens in the background. Third-party supplier pages that document floorplans and interiors. Google Earth and Streetview imagery that maps every entry point and identifies the separation between visitor and goods access. Before we come near your site, we already know more than most of your staff assume a stranger could. Everything we find in public is documented before we touch a door handle.
Pretext and entry. With a credible pretext typically an electrical or network maintenance engineer — and minimal tools, we attempt physical entry the way real intruders do. No forced locks. No destructive methods. Only the techniques that actually work in practice: confident bearing, plausible paperwork, and the social pressure that makes the person at the front desk decide not to cause a fuss.
On-site execution and observation. Once inside, we move. Production areas, offices, reception, meeting rooms, storage. Sometimes for hours. We test whether strangers get challenged, whether doors get held open for tailgaters, whether unattended workstations sit unlocked with live email sessions on screen, whether USB ports are accessible, and whether the physical segmentation between office and operational zones actually holds under pressure. Every observation is captured live on bodycam full timeline, photos, video — and delivered fully GDPR-compliant, with faces blurred as standard.
Evidence and structured analysis. Findings are time-stamped and cross-referenced in a chronological evidence table. We score risks quantitatively on likelihood and impact using a one-to-ten scale, and map each finding to the frameworks that matter to your board and your auditors: NIST CSF 2.0, IEC 62443, and ISO 27001. Positive observations are called out explicitly, because maturity improvement starts from what already works, not from a list of everything that does not.
Outcome-focused reporting. Not a hundred-page theoretical document. A concise executive summary your board will actually read. A chronological bodycam evidence timeline that shows what happened, in order, with context. Prioritised, outcome-driven recommendations. A phased roadmap across zero-to-three, three-to-six, and six-plus months. Measurable KPIs and a maturity target typically moving an organisation from NIST Tier 2 to Tier 3 inside a year. No assumptions. You see exactly where procedures, awareness, and physical controls fail in practice, and you see exactly what to do about it.
Why organisations engage us for this. Physical access is still the fastest path to OT and IT compromise in most mid-market environments. Most of the findings we surface can be closed with simple, inexpensive measures challenge protocols, visitor logging, awareness training, desk discipline. Board-level and insurance conversations change when you can show objective, filmed evidence rather than a self-assessment. And the audit trail we produce sits cleanly inside NIS2, ISO 27001, and OT-security requirements, which increasingly overlap with physical controls whether organisations have recognised that yet or not.
Ready to know what really happens. We have conducted these tests for organisations that take physical resilience seriously. No demos. No simulations. Real attempts, real footage, real insights. Start with a short scoping call. We discuss realistic boundaries, Rules of Engagement, and expected outcomes within your context.
