Physical Security: 3 Attack Paths Your EDR Can't See

8 Minutes in the Louvre

In October 2025, four men needed eight minutes in the Louvre. Ladder, angle grinder, display case open, out through the window, gone. No camera, no alarm system, no security guard stopped it.

In banks, insurance companies and software houses, things don't run fundamentally differently. Only the target is different. Instead of a display case, a server room; instead of a piece of jewellery, a workstation with domain admin rights. Instead of eight minutes, a few hours.

At slashsec, we test exactly these paths. What we see can be summed up briefly: the digital defences of many organisations are remarkably good today. The physical ones are remarkably bad.

What Your EDR Doesn't See

Your security tools are built for a particular world. Networks, endpoints, identities, anomalies in traffic. SIEM, EDR, identity governance, vulnerability scanners, phishing training. As long as the attacker comes from that world, these tools work well.

But the moment someone comes in not through the network but through the door, the roof or the window, they are outside these tools' detection space. EDR isn't blind here, it simply isn't responsible. It's not an endpoint agent's job to spot a stranger in the delivery area or notice an open skylight above a stairwell.

Three Paths from Three Industries

The following three cases come from different sectors: finance, software, industry. All three are described in anonymised form, and all three are scenarios we have run multiple times in exactly this or very similar form. What unites them is the outcome. In every case, the physical door was open long before a single packet crossed the network.

Path 1: Side Entrance, Key Safe, Full Access

Thursday, shortly after half past nine in the evening. A side entrance at the rear of a multi-storey office building. On the inside sits a lever handle that opens without a card or code in an emergency, as fire safety regulations require.

On doors like this, we usually use a door handle hook. That's a long tool with an angled tip that we feed through the gap between door and frame to press the inside handle down. After a good 20 seconds, the door opens. We're in.

In the ground-floor corridor stands an open door labelled "Staff Room", behind it a key safe. A standard model with a 4-digit code that has never been changed since installation and is still set to the factory default of 1234. Inside the safe lies the complete master key set, neatly labelled by floor and area.

What happens next is routine. We walk through the offices, the conference rooms and the area with the network equipment cabinets. We take photos, leave a proof-of-access USB stick in an unlocked workstation, lock the safe again and hang the keys back. At 23:14 we leave the building through the same entrance.

In just under two hours inside the building, nothing triggered. The safe access wasn't logged either — the model has no audit function.

What helps: A brush seal in the gap of the side entrance door. Your own code on the key safe, not the factory default. Ideally a safe model with an audit trail. None of these measures needs a project of its own.

Path 2: The Unlocked Laptop After Hours

A DACH software house with a hardened digital pipeline. Signed builds, branch protection, code reviews, certified CI/CD workflows. Clean at the whiteboard level.

We pick the main building as the target and start the assessment at 19:45, one hour after the official end of the working day. Reception is unstaffed, the cleaning crew is in the building. We follow a cleaning trolley through the underground car park gate and take the lift to the third floor.

Within 40 minutes, we find the following:

• Three unlocked laptops on desks, all three with an active domain session
• A master key in the trolley of a cleaner who has no access card of their own
• A whiteboard in the conference room with the complete cloud architecture and three API endpoints
• A sticky note on a monitor with a service account password

This organisation's digital defences are excellent. The physical side operates at an entirely different level of maturity.

What helps: Automatic screen locks after five minutes of inactivity via Group Policy. Dedicated access cards for the cleaning staff instead of master keys. A monthly clean-desk spot audit. All of it achievable within 30 days.

Path 3: Drone, Roof Hatch, Server Room

An industrial company with a large main site. We fly a drone over the premises on a Sunday. The footage shows a permanently open skylight above a stairwell in the annex building. From the ground, it isn't visible.

A week earlier, we had already been on site during the day, tailgating a supplier through the main entrance into the office wing. On a desk in the open-plan office lies an unattended access card. Five seconds with a handheld reader and we're back outside. The card is a Mifare Classic, a card type considered broken since 2008.

Sunday, shortly after midnight. We climb onto the roof of the annex via an adjacent multi-storey car park. During the day, reception would be staffed and employees would take notice of strangers in the server room wing. At night, the building is empty apart from the security service.

We abseil through the skylight into the stairwell and walk three floors down to the basement. A fire door stands open, wedged with a doorstop, presumably for the afternoon airing. The server room sits at the end of the corridor. Our clone opens the door.

Inside, we plant a mini PC, roughly the size of a cigarette packet, with a built-in 4G modem. We attach it to a machine in the room and connect it to the internal network. From that moment, we have a tunnel into the internal network that leaves the building over the mobile network. Firewall, proxy and SIEM are completely bypassed. Three minutes of photo documentation, then out the same way. The entire operation took 47 minutes. Nobody reacted.

What helps: Roof inspections every six months and a migration away from Mifare Classic.

Five Uncomfortable Questions

In each of the three cases above, one of the following questions plays the central role. Master keys in Path 1 and Path 2, card readers in Path 3, alarm and response time in Path 1 and Path 3.

1. Is every visitor at your organisation really registered? Not just sign-ins at reception. External contractors, postal deliveries, cleaning, catering, suppliers too. Where is the line between "registered" and "got in somehow"?

2. Are your card readers protected against cloning? Mifare Classic and EM4100 can be read out in seconds with devices costing under 200 euros, often while the card is still in the outer pocket of a suit jacket. Anyone still relying on Mifare Classic is effectively clonable. Anyone who hasn't defined a migration path away from it should do so now at the latest.

3. Where are your master keys? Cleaning staff, facility management, security service — who else has one? Are the keys being passed on to subcontractors without your knowledge?

4. Do your alarm systems work, and are they tested regularly? When was the last time? With a real trigger or with the function-test button? Does the security service actually respond, or does the alarm sit in a list that nobody reads any more?

5. How long is the response time from trigger to the first person on site? We measure this. The most sobering numbers usually come at night and on weekends.

At most organisations, at least one of these questions has an uncomfortable answer.

Why This Is Now Becoming a Regulatory Issue

Until 2024, physical security was a fringe compliance topic for most CISO organisations. There were ISO 27001 Annex A controls, there were internal audits, but rarely a real stress test.

With DORA, NIS2 and the growing adoption of TIBER-AT, that is changing. None of these frameworks explicitly mandates a physical security assessment. But all three demand a holistic approach to operational resilience and risk management. Physical security is an integral part of that.

TIBER-AT explicitly allows physical attack vectors as part of a threat-led penetration test. Anyone planning a TIBER-AT-compliant test cannot avoid an honest evaluation of the physical side. Anyone writing a DORA-compliant risk report shouldn't dismiss the physical vector as "possible unauthorised access" without ever having tested it for real.

What to Do?

A physical security assessment is a stress test under real conditions, not a checklist exercise. What you have in hand afterwards:

1. An honest inventory of what holds and what only appears to hold
2. Prioritised recommendations with quick wins and medium- to long-term investments
3. Photo and video material for internal training and awareness

The total duration is typically between two and six weeks. Typical budgets range between 13,000 and 18,000 euros per site. That is considerably less than a single successful attack would cost.

If you need more detail, our physical security assessment page has a concrete methodology overview including day and night assessment scenarios. If you want to place it in the DACH context, there are regional provider overviews for Austria, Germany and Switzerland.

Conclusion

Four men needed eight minutes in the Louvre. We needed 104 minutes in an office building, 40 minutes in a software office, 47 minutes on an industrial site. Path 3 looks spectacular, and that's exactly why real attackers rarely choose it first. There's usually a cheaper way in.

The more common paths are the unspectacular ones. An open door. A forgotten key. A card lying in the open on a desk. No zero-day, no insider, no forensic artistry.

The digital defences of many organisations are solid. The physical side has had ten years less attention than the digital one. If you want to change that, you need to have your physical paths tested from the outside, under real conditions, once a year.

Want to know what a physical security assessment would look like in your organisation? Schedule a free 30-minute consultation. We'll discuss scope, methodology and budget with no obligation.