Physical Penetration Testing Methodology

Request A Free Physical Pen Testing Estimate

Get A Quote

Physical Penetration Testing Methodology

Learn more about our methodology and the steps used in our physical security penetration testing engagements

physical penetration testing methodology

Physical Penetration Testing Methodology

Each and every physical penetration test is conducted consistently using globally accepted and industry standard frameworks which help make up our physical pentesting methodology. In order to ensure a sound and comprehensive physical security test, RedTeam leverages industry standard frameworks as a foundation for carrying out penetration tests. At a minimum, the underlying framework is based on the NIST Special Publication 800 Series guidance and OSSTMM but goes beyond the initial framework itself.

Physical Penetration testing methodology

Physical Penetration Testing Steps

Passive Reconnaissance

The first phase in a physical penetration test is focused on collecting as much information as possible about the target. Passive Reconnaissance, aka Information Gathering, is one of the most critical steps of a physical pen test. This is done through the use of public tools, such as Google Earth. As a result, it is usually possible to learn a great deal about the target’s surroundings and environment.

Open Source Intelligence

An important step in a physical penetration test focuses on collecting information that is freely available. Open Source Intelligence Gathering can be quite telling about a target, its people and specifics about the environment. This is done through the use of a different set of public tools, such as social networks, job boards, etc. Through thorough analysis, it begins to paint a picture of the target and its primary operations.

Active Reconnaissance

Active Reconnaissance in a physical penetration test generally involves gathering information offline. This often includes telephoning, emailing or otherwise directly querying target staff or vendors of the target for material not available or impossible to obtain through online means. The information obtained will be used to build a better plan as the process progresses.

Covert Observation

Covert Observation is exactly what is sounds like. This often includes includes covert photography of the target up close in an effort to identify physical security controls and monitoring staff as they are coming and going.

Attack Planning

By this time, the information collected in the previous phases are beginning to coalesce. Vulnerabilities, exit points, entrance points, cameras, guards, fences, company technology, staff members and other relevant information are used to begin planning an attack.


Planning and intelligence gathered by various means by now have morphed into a plan of attack including. Pretexting involves setting the plan into action and ensuring the team’s equipment, transportation and personnel are synchronized and ready to execute.

Infiltration, Exploitation & Post-Exploitation

During these phases, the team carries out the plan by exploiting vulnerabilities discovered using information and intelligence captured during the earlier phases of the assessment. Post-exploitation involves penetrating further into the environment and setting up to maintain a persistent backdoor.

Services Datasheet

Learn more about RedTeam Security's advanced Application, Network and Physical Penetration Testing, Social Engineering and Red Teaming services.


Secure Your Physical Assets Today

Ready To Get Started!


Our Penetration Testing, Social Engineering and Red Teaming services go beyond the checkbox to help prevent data breaches