Prepared by: Anthony Lucas
Published: 09 Apr 2026
When Physical Security Fails Under Real-World Pressure
The Gap Between Perceived and Actual Security
Most organisations assume their physical security is working because it appears controlled, documented, and compliant. Doors require badges, cameras are visible, and guards are present — all the expected measures are in place. Yet few organisations test how these controls perform when confronted with real behaviour, social pressure, or a determined individual with a credible reason to be there. This case examines what happens when those assumptions are challenged in a live environment, and how quickly perceived security can diverge from actual risk.
Summary Snapshot
Engagement Overview
A large, multi-building organisation engaged Triskele Labs to validate whether its physical security controls were effective in practice, not just compliant on paper.
Key Findings
Despite visible controls such as CCTV, RFID access, and on-site guards, consultants gained access to restricted office and OT environments using social engineering and non-destructive techniques.
Situation
Security Posture
The organisation had implemented standard physical security measures aligned with compliance expectations, including controlled access points, surveillance, and staff security. The Gap
While controls existed, there was limited testing of how they performed under real-world conditions, particularly where human behaviour influenced outcomes.
Objective
Physical Penetration Testing at Triskele Labs is a controlled simulation designed to assess whether an organisation's physical security controls are effective in practice, not just compliant on paper. This includes access systems, surveillance, and the human behaviours that sit behind them.
In this engagement, the client requested a non-destructive test focused on two specific areas: cybersecurity awareness among staff, and challenge culture — whether employees would question or escalate the presence of an unfamiliar individual in a restricted area.
Investigation
Reconnaissance Approach
Triskele Labs conducted on-site and digital reconnaissance to evaluate both the technical controls and staff behaviour. Key observations leveraged during the engagement included layout of the environment, ingress and egress points, distinctions in uniform worn in different areas of the facility, badge layout and format, security guard names as well as physical controls in place such as RFID. Additionally, consultants recognised ingress points which could be more susceptible to successful tailgating attempts based on factors including staff awareness and the speed at which doors closed.
Observed Weaknesses
- Staff regularly held access-controlled doors open for individuals behind them, treating secured entry points as transitional rather than restricted boundaries
- Unfamiliar individuals near access points went unchallenged by both staff and security personnel
- Physical controls such as RFID and CCTV were prominent, but their effectiveness depended heavily on staff behaviour to function as intended
Approach
Initial Access Techniques
Consultants used controlled social engineering methods, including:
- Badge recreation using publicly available images
- Tailgating into executive offices, construction areas and staff rooms
- Abuse of unprotected service elevators, allowing traversal to restricted floors and employee-only areas
- Extended movement through restricted areas without detection
- Identification of physical artefacts — badge formats, uniform distinctions, staff access patterns — that would have supported persistence in a genuine attack scenario
Each technique was low-friction in isolation. Chained together, they demonstrated how small weaknesses compound into significant access.
Network Access Opportunity
Access to exposed Ethernet ports enabled potential internal network connectivity once inside.
Targeting the OT Environment
Accessing the OT environment required passing directly through a staffed security checkpoint. Consultants adopted a contractor pretext, supported by high-visibility attire, pre-prepared identification, and a rehearsed explanation designed to withstand scrutiny. When challenged, consultants confidently articulated their purpose and presented badges for inspection.
Pretext and Execution
Consultants adopted a contractor-style identity, supported by:
-
High-visibility attire
-
Rehearsed explanations
-
Pre-prepared identification
Security personnel granted access and left consultants unescorted inside a secured server room.
Outcomes
Key Risks Identified
-
Physical controls were inconsistently enforced
-
Human behaviour undermined access control effectiveness
-
Sensitive environments were accessible without escalation
-
Physical access created a pathway to cyber compromise
Business Impact
This level of access could have resulted in operational disruption, reputational damage, and financial loss across three areas:
Operational: Unescorted access to OT systems controlling physical infrastructure creates the conditions for operational shutdown, equipment damage, or safety incidents.
Cyber: Physical presence within the server room provided a direct pathway for data theft, ransomware deployment, or long-term persistent access — bypassing perimeter controls entirely.
Reputational and regulatory: A breach of this nature carries notification obligations, potential regulatory consequences, and lasting reputational exposure. Critically, the organisation would have had no indication it had occurred.
Recommendations
-
Strengthen visitor and contractor governance
-
Enforce escort protocols in sensitive areas
-
Improve staff awareness of tailgating risks
-
Align physical and cyber security governance
-
Conduct regular real-world security testing
Quote
Team member Testimonial
After a brief review, security personnel granted access and left the consultants unattended inside the operational technology server room with the door closed. This level of access could’ve resulted in significant compromise or damage of the IT and OT environments, including significant reputational, operational and financial consequences.
Senior Offensive Consultant, Triskele Labs
Related Services
Core Capabilities
-
Red Teaming
-
Physical Security Assessments
-
Social Engineering
-
Digital Forensics and Incident Response
-
Security Operations Centre (SOC)
Assess your exposure to physical and social engineering threats
Identify how attackers could bypass your controls and access critical environments.