Penetration Test – Physical Penetration Testing

Secure Your Facilities Today

Talk To An Expert

Physical Penetration Testing

Understand the true strength and effectiveness of physical security controls in data centers, offices, substations, critical infrastructure and more


The primary objective for a physical penetration test is to measure the strength of existing physical security controls and uncover their weaknesses before bad actors are able to discover and exploit them. Physical penetration testing, or physical intrusion testing, will reveal real-world opportunities for malicious insiders or bad actors to be able to compromise physical barriers (ie: locks, sensors, cameras, mantraps)  in such a way that allows for unauthorized physical access to sensitive areas leading up to data breaches and system/network compromise.

This type of test is an attack simulation carried out by our highly trained security consultants in an effort to:

  • Identify physical security control flaws present in the environment
  • Understand the level of real-world risk for your organization
  • Help address and fix identified physical security flaws

RedTeam Security physical penetration testers have experience infiltrating some of the most secure environments the same way bad guys would. They leverage this experience to zero in on critical issues and provide actionable remediation guidance.


  • Approach

    Physical Penetration Testing


    RedTeam Security’s web application penetration testing service utilizes a comprehensive, risk-based approach to manually identify critical application-centric vulnerabilities that exist on all in-scope applications.

    1. Information Gathering
    2. Threat Modeling
    3. Vulnerability Analysis
    4. Exploitation
    5. Post-Exploitation
    6. Reporting

    Using this industry-standard approach, RedTeam’s comprehensive method involves the OSSTMM and a proprietary approach developed through the years that includes, but not limited to: Passive Reconnaissance, Open Source Intelligence (OSINT), Active Reconnaissance (drones, onsite covert observation), Vulnerability Identification, Exploitation, Post-Exploitation and more…


    In order to perform a comprehensive real-world assessment, RedTeam Security utilizes commercial tools, internally developed tools and the same tools that bad actor might use on each and every assessment. Once again, our intent is to assess systems by simulating a real-world attack and we leverage the many tools at our disposal to effectively carry out that task.


    We consider the reporting phase to mark the beginning of our relationship. RedTeam strives to provide the best possible customer experience and service. As a result, our report makes up only a small part of our deliverable. We provide clients with an online remediation knowledge base, dedicated remediation staff and ticketing system to close the ever important gap in the remediation process following the reporting phase.

    We exist to not only find vulnerabilities, but also to fix them.

    Remediation & Re-testing

    Simply put, our objective is to help fix vulnerabilities, not just find them. As a result, remediation re-testing is always provided at no additional cost.

  • Methodology


    Each and every web application penetration test is conducted consistently using globally accepted and industry standard frameworks. In order to ensure a sound and comprehensive penetration test, RedTeam leverages industry standard frameworks as a foundation for carrying out penetration tests. At a minimum, the underlying framework is based on the NIST Special Publication 800 Series guidance and OSSTMM but goes beyond the initial framework itself.

    Passive Reconnaissance

    The first phase in a physical penetration test is focused on collecting as much information as possible about the target. Passive Reconnaissance, aka Information Gathering, is one of the most critical steps of a physical pen test. This is done through the use of public tools, such as Google Earth. As a result, it is usually possible to learn a great deal about the target’s surroundings and environment.

    Open Source Intelligence

    An important phase in a physical penetration test focuses on collecting information that is freely available. Open Source Intelligence Gathering can be quite telling about a target, its people and specifics about the environment. This is done through the use of a different set of public tools, such as social networks, job boards, etc. Through thorough analysis, it begins to paint a picture of the target and its primary operations.

    Active Reconnaissance

    Active Reconnaissance in a physical penetration test generally involves gathering information offline. This often includes telephoning, emailing or otherwise directly querying target staff or vendors of the target for material not available or impossible to obtain through online means. The information obtained will be used to build a better plan as the process progresses.

    Covert Observation

    Covert Observation is exactly what is sounds like. This often includes includes covert photography of the target up close in an effort to identify physical security controls and monitoring staff as they are coming and going.

    Attack Planning

    By this time, the information collected in the previous phases are beginning to coalesce. Vulnerabilities, exit points, entrance points, cameras, guards, fences, company technology, staff members and other relevant information are used to begin planning an attack.


    Planning and intelligence gathered by various means by now have morphed into a plan of attack including. Pretexting involves setting the plan into action and ensuring the team’s equipment, transportation and personnel are synchronized and ready to execute.

    Infiltration, Exploitation & Post-Exploitation

    During these phases, the team carries out the plan by exploiting vulnerabilities discovered using information and intelligence captured during the earlier phases of the assessment. Post-exploitation involves penetrating further into the environment and setting up to maintain a persistent backdoor.

  • Deliverable

    Physical Penetration Teting


    At RedTeam Security, we consider the Delivery / Reporting phase to be the most important and we take great care to ensure we’ve communicated the value of our service and findings thoroughly. The deliverable consists of an electronic report that includes several key components including, but not limited to: Executive Summary, Scope, Findings, Evidence, Tools and Methodology. In addition to the report, a raw file in comma-separated value (CSV) format is also provided in an effort to optimize the remediation and management of any identified findings.

    Findings are communicated in a stakeholder meeting and typically presented in-person or virtually via Webex — whichever medium is most conducive for communicating results effectively. During this time, RedTeam Security consultants will walk through the report, in detail, to ensure all findings and their corresponding description, risk rating, impact, likelihood, evidence and remediation steps are thoroughly understood. While this typically involves a single meeting, there is no limitation to that number. The key underlying message is that all information is clearly understood and that a roadmap toward remediation / mitigation is crystal clear.


    Some of the key components to our physical penetration test deliverable include, but are not limited to:

    * Scope
    * Control Framework  (ie: OWASP, PCI, PTES, OSSTMM)
    * Timeline
    * Executive Summary Narrative
    * Technical Summary Narrative
    * Report Summary Graphs
    * Summary of Findings
    * Findings (Description, Business Impact, Recommendation, Evidence, References, CVSS, Risk Rating Calculation)
    * Methodology and Approach
    * Risk Rating Factors
    * Tools

  • FAQ

    Frequently Asked Questions

    Why should should I conduct a penetration test?

    A penetration test is a simulated attack from the perspective of a bad actor, such as a malicious hacker. The objective is to simulate a cyber security attack and attempt to uncover security vulnerabilities that might otherwise be discovered by hackers. In doing so, you would gain valuable insight into the security posture of the assets and be able to fix them before hackers are able cause serious damage by exploiting them.

    How long does it take to conduct a physical penetration test?

    The overall time depends on the size and complexity of the in-scope facilities. That said, most tests take anywhere from two weeks to six weeks, start to finish.

    How much does an physical penetration test cost?

    We get this question a lot and it’s not easy to answer until some level of scoping has been performed. Our scoping process is quick, online and painless. But overall, the number of locations and the objective will ultimately determine its cost. For example, when determining the work effort, we take the following into account: number of target locations, goals, travel from locations, timeframe, etc.

Services Datasheet

Learn more about RedTeam Security's advanced Application, Network and Physical Penetration Testing, Social Engineering and Red Teaming services.



Our Penetration Testing, Social Engineering and Red Teaming services go beyond the checkbox to help prevent data breaches

Secure Your Facilities Today

Get Started