Prepared by: Anthony Lucas | Published: 09 Apr 2026
Most organisations assume their physical security is working because it appears controlled, documented, and compliant. Doors require badges, cameras are visible, and guards are present — all the expected measures are in place. Yet few organisations test how these controls perform when confronted with real behaviour, social pressure, or a determined individual with a credible reason to be there. This case examines what happens when those assumptions are challenged in a live environment, and how quickly perceived security can diverge from actual risk.
A large, multi-building organisation engaged Triskele Labs to validate whether its physical security controls were effective in practice, not just compliant on paper.
Despite visible controls such as CCTV, RFID access, and on-site guards, consultants gained access to restricted office and OT environments using social engineering and non-destructive techniques.
While controls existed, there was limited testing of how they performed under real-world conditions, particularly where human behaviour influenced outcomes.
Physical Penetration Testing at Triskele Labs is a controlled simulation designed to assess whether an organisation's physical security controls are effective in practice, not just compliant on paper. This includes access systems, surveillance, and the human behaviours that sit behind them.
In this engagement, the client requested a non-destructive test focused on two specific areas: cybersecurity awareness among staff, and challenge culture — whether employees would question or escalate the presence of an unfamiliar individual in a restricted area.
Triskele Labs conducted on-site and digital reconnaissance to evaluate both the technical controls and staff behaviour. Key observations leveraged during the engagement included layout of the environment, ingress and egress points, distinctions in uniform worn in different areas of the facility, badge layout and format, security guard names as well as physical controls in place such as RFID. Additionally, consultants recognised ingress points which could be more susceptible to successful tailgating attempts based on factors including staff awareness and the speed at which doors closed.
Consultants used controlled social engineering methods, including:
Each technique was low-friction in isolation. Chained together, they demonstrated how small weaknesses compound into significant access.
Access to exposed Ethernet ports enabled potential internal network connectivity once inside.
Accessing the OT environment required passing directly through a staffed security checkpoint. Consultants adopted a contractor pretext, supported by high-visibility attire, pre-prepared identification, and a rehearsed explanation designed to withstand scrutiny. When challenged, consultants confidently articulated their purpose and presented badges for inspection.
Consultants adopted a contractor-style identity, supported by:
High-visibility attire
Rehearsed explanations
Pre-prepared identification
Security personnel granted access and left consultants unescorted inside a secured server room.
Physical controls were inconsistently enforced
Human behaviour undermined access control effectiveness
Sensitive environments were accessible without escalation
Physical access created a pathway to cyber compromise
This level of access could have resulted in operational disruption, reputational damage, and financial loss across three areas:
Operational: Unescorted access to OT systems controlling physical infrastructure creates the conditions for operational shutdown, equipment damage, or safety incidents.
Cyber: Physical presence within the server room provided a direct pathway for data theft, ransomware deployment, or long-term persistent access — bypassing perimeter controls entirely.
Reputational and regulatory: A breach of this nature carries notification obligations, potential regulatory consequences, and lasting reputational exposure. Critically, the organisation would have had no indication it had occurred.
Strengthen visitor and contractor governance
Enforce escort protocols in sensitive areas
Improve staff awareness of tailgating risks
Align physical and cyber security governance
Conduct regular real-world security testing
After a brief review, security personnel granted access and left the consultants unattended inside the operational technology server room with the door closed. This level of access could’ve resulted in significant compromise or damage of the IT and OT environments, including significant reputational, operational and financial consequences.
Senior Offensive Consultant, Triskele Labs
Red Teaming
Physical Security Assessments
Social Engineering
Digital Forensics and Incident Response
Security Operations Centre (SOC)
Assess your exposure to physical and social engineering threats
Identify how attackers could bypass your controls and access critical environments.
