Share on:
What we found in two hours:
120 minutes inside the production environment
1 USB connected without intervention
0× challenged during our presence (3 rounds) walked through the office unseen
A physical penetration test in the Dutch mid-market.
With explicit authorization from the board and IT, we ran a physical security test at a Dutch market leader in early 2026. Within two hours we entered the production environment, plugged in a USB, walked the office three times, and left again without anyone asking who we were.
No network scan. No exploit. No alarm. Only a board-level conversation that could no longer be deferred. The full report sets out what we found, why it matters under NIS2, and what a structured response actually delivers.
What you will find inside
What we observed. A chronological account of the test, drawn from two two-hour sessions on a single day. Including the moments where something should have been noticed and was not. Written for everyone in your boardroom no jargon, no assumed background, no security theatre.
Why it matters. The translation from physical observation to governance implication: NIS2 duty of care, supply chain liability, ransomware pathway, reputation exposure. Set against figures from the World Economic Forum Global Risks Report 2026 that show our findings are not an isolated incident, but a pattern the international community is now formally tracking.
What a structured response delivers. Four phases of our methodology, Driven by outcomes: Assess, Design, Deliver, Embed. What you receive in each phase, on what timeline, and how it becomes measurable for your board.
