Physical Penetration Testing : A Comprehensive Guide

Physical Penetration Testing : A Comprehensive Guide

Long before ethical hackers used an array of fancy software to penetrate a company’s security, humans have been gaining unauthorized access with nothing more than a pair of skilled hands and perhaps a gadget or two.

Physical penetration testing is a form of security audit that involves using one’s own body, as opposed to wholly relying on digital skills, to find and exploit vulnerabilities.

Let’s explore this ability by understanding what it is, the skills and gadgets used to get the job done, the job outlook, and how to gain physical penetration testing experience.

Ready to delve in? Let’s start.

What Is Physical Penetration Testing?

Physical pen testing involves carrying out a pre-approved physical attack on a client’s organization to gauge a client’s physical security measures.

This is a much more hands-on and in-person approach than digital penetration testing, which relies on software and scripts to find and exploit a client’s vulnerabilities.

That said, physical pentesters often use digital penetration testing tools to bypass a company’s security defenses.

Physical pen testers often use a wide range of tools, from traditional lockpicks to modern RFID cloners, to produce a key card that can bypass a company’s physical security.

Why Is Physical Penetration Testing and Physical Security Important?

Long before malevolent hackers exploited a company’s online vulnerabilities, criminals did their dirty work in person.

Even though malicious malware may be making the headlines, criminals today are still more than willing to carry out crimes in person.

Crimes committed when a person physically gains access to a place they should not have access to—which is considered “trespassing” or “break and enter,” depending on the specifics—are still common enough that businesses must take the proper measures to bolster their physical security.

You can hire security guards, use RFID badges and logs to monitor access, and take other measures to create a comprehensive security plan, but you don’t really know how effective your security plan is until it’s put to the test.

You can take a wait-and-see approach or a company can hire a penetration team to find vulnerabilities that can later be resolved.

How Can A Criminal Cause Harm Once Inside A Building

  • Steal sensitive information physically or digitally
  • Destroy or take over the SCADA system so they can control critical infrastructure
  • Connect keystroke injectors or monitors
  • Install malware
  • Set up a fake-twin evil-twin hotspot
  • Connect physically to the internal network for persistent access
  • Supply chain attack

What Do Physical Penetration Tests Look Like?

To carry out a penetration test you don’t simply break into a building and then provide the company with feedback.

The very first step involves being hired and being provided with a company’s legal consent to carry out a penetration test.

Now, consent doesn’t mean you’re free to do whatever you please to achieve your goal. Your client will provide an offensive security team with the scope of work.

The scope details the test's objectives and how you’re allowed to achieve them. Clients may say they don’t want you to cause physical damage, frighten employees, or access highly sensitive information.

Once the legal dos and don'ts of a physical penetration test and the objectives have been laid out, it’s time to get your hands dirty.

The first two stages of a penetration test are reconnaissance and scanning. Here, a team will gather information about the target and probe its weaknesses.

In a physical test, this may look like camping outside the building or using a drone to take note of visible security such as whether the company uses cameras, security guards, the type of locks used on doors, and other measures.

Other low-tech forms of reconnaissance include:

  • Noting how employees are dressed
  • Being aware of when employees leave and re-enter the building for smoke breaks, lunch, etc.
  • Snapping photos of employee badges or credentials
  • Finding out which non-employees often gain physical access to the building

After this initial phase is complete, it’s time to create a vulnerability assessment to better analyze a company's vulnerabilities and decide how the red team wants to penetrate a company’s defenses.

Then, it’s time to exploit the vulnerabilities.

Which vulnerabilities and how they’re exploited will depend on the targets identified in the vulnerability assessment. There are many ways an offensive security team might go about compromising a target.

Some tactics and techniques include:

After you’ve gained access you’ll want to compromise systems and complete the rest of your objectives.

Lastly, you’ll need to create a detailed report of the vulnerabilities you discovered, how you exploited them, and steps the client can take to remedy these vulnerabilities.

Watch the video below to see a real-life physical penetration test. It follows RedTeam Security as it performs a penetration test against a power company.

Only a couple of people at the company will know that you are performing a penetration test. If you’re to be caught, the person who catches you will assume you are a criminal.

This is why it’s crucial that you keep a written letter of consent on you at all times during the test. You should also have the phone number of someone higher up who can be called to vouch for you.  

It’s important that you create an agreed-upon procedure with the client that you will follow should you be caught.

Physical Penetration Testing Skills

So, what ninja penetration testing skills do you need to perform this job effectively? Here’s a brief list of some of the most useful physical penetration testing skills.

  • Lock Picking/Lock Bypassing: You’ll inevitably encounter locks while in the field, being able to bypass them is a crucial skill.
  • Social Engineering: The ability to manipulate a human to get your way is a common tactic used by penetration testers.
  • Surveillance and OSINT: Surveillance and OSINT are tools used during the recon and scanning phases of penetration tests; the more information you gather the more avenues you have to plan your attack.
  • Physical Fitness: You may be required to hop up fences, lift heavy objects, or hide on site for long periods of time.
  • Confidence: This soft skill is vital when carrying out in-person testing as chances are high that you’ll interact with skeptical employees trying to compromise your mission.

Physical Penetration Testing Tools

There are countless tools you could keep in your physical pentesting kit. Some are very expensive and impressive-looking gadgets, while others are much simpler and easier to attain. Here are a few popular items.

Physical Penetration Testing Books

This article serves as a primer on physical penetrating testing. If you want a more in-depth education on the ins and outs of getting in and out of a client’s physical premises, consider reading some of the following physical penetration testing books.

Unauthorised Access: Physical Penetration Testing For IT Security Teams

Unauthorised access

Learn the tactics red teams use to break into facilities to carry out physical penetration testing. This book covers how to plant bugs, neutralize security cameras, find building blueprints, eavesdrop on security channels, and much more.

Find the book here.

Social Engineering: The Science of Human Hacking

social engineering the science of human hacking

A chief component of physical hacking is in-person deception. This book details the most common social engineering tactics that hackers can use to hack humans rather than technical systems. Understand how to find and exploit vulnerabilities in the human psyche to gain access to the information you want.

Find this book here.

How to Get Into Physical Penetration Testing

There are many learning pathways you can take to get into physical penetration testing.

You can take more or less conventional routes to acquire the unique skillset of physical penetration testers.

The most orthodox trajectory starts by having a background in cyber security. Maybe you have mastered some basic cyber security tools, have professional experience, or have obtained cyber security certifications.

Once you have a solid foundation in cyber security you’ll want to specialize in penetration testing. To demonstrate your expertise to employers consider pursuing penetrating testing certifications such as:

While the aforementioned certifications are geared towards digital penetration testing, PenTest+ briefly covers physical pentesting concepts, and penetration testing methodology and report writing are covered to various extents in all four.

Supplement your certifications by learning how physical security controls, systems, and principals work. Read up on popular physical security systems, procedures, and hardware.

Becoming a physical security professional is one of the best ways to learn how to break systems down. You may consider security career paths such as locksmith, security systems installation technician, or security guard.

A professional background in physical security will give you the training and insider knowledge you can then exploit as a member of an offensive security team.

At the very least, formal training in these can help build your resume and skill set.

Learning local and federal laws regarding breaking and entering, trespassing, and unlawful access is also crucial when discussing consent with a client.

Understanding the scope of a project and creating a contractual agreement that considers certain laws is crucial when creating a penetration testing agreement with a client.

It’s also important to fully understand your client’s relationship with the property. For instance, are they the owners, renting, leasing? Does the property owner know about the penetration test?

If you want hands-on physical penetration testing skills right now, consider signing up for a workshop and/or attending a conference such as DEF CON or even IT conferences.

These events may have talks or workshops that will equip you with physical offensive hacking skills, and conference websites often have a list of their training on their websites.

Once you have physical offensive skills under your belt, it’s time to network, brand yourself, and search for roles at security companies that include physical pentesting. 

It’ll be easier to break into a penetration testing role if you can pair your physical skills with digital ones.  

Physical Penetration Testing Jobs and Salaries

It’s exceedingly difficult to find strictly physical penetration testing jobs. Nearly every penetration testing role will require you to have digital penetration testing skills, while physical penetrating skills are often considered secondary.

When we queried red teaming cyber security jobs we found 36,438 positions on ZipRecruiter. Red teaming positions often ask that applicants have physical penetration testing skills.  

Physical penetration testing jobs

The average salary for a penetration tester is $119,895. That of a red team operator—a position that may involve physical pentesting—averages $143,550.

Physical Penetration Testing Certifications

We’ve previously mentioned certifications that cover the digital side of pen testing. These next two certifications focus exclusively on the physical end.

Certified Ethical Social Engineer (CESE)

This certification tests your ability to use social engineering tactics to compromise a company’s defenses. To pass the exam you’ll need to demonstrate a series of social engineering tactics on a target company. You’ll also have access to SECOM’s custom vishing server to help you carry out effective vishing attacks.

This exam costs $999 if you don’t sign up for the class.

Physical Security Professional (PSP)

The Physical Security Professional certification is designed for those who want to learn and demonstrate their understanding of physical security measures. This exam will test your mastery of physical security assessments, designs, applications, implementations, and integrations. To be clear, it’s not an offensive physical penetration certification; however, it’ll still help you break into physical pentesting.


Physical pentesting is all about getting down and dirty to find and exploit physical vulnerabilities.

Physical hackers use an array of skills and tools to achieve their goals. To equip yourself with these tools, you can choose from any number of learning pathways.

What’s certain is that there is no single way to break into this field.

That said, if you’re looking to learn red teaming and penetration testing skills, you may consider joining the StationX Accelerator Program.

Here, you’ll find personalized study road maps, professional career mentorship, support, and access to over 1,000 courses and labs that you can use to find employment as an ethical hacker.

To get started, consider enrolling in the following courses:

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Spencer Abel

    Spencer is part cyber security professional and part content writer. He specializes in helping those attempting to pivot into the vast and always-changing world of cyber security by making complex topics fun and palatable. Connect with him over at LinkedIn to stay up-to-date with his latest content.