Physical Security Assessments

What a physical security assessment is

A physical security assessment is a realistic intrusion and access test: we check whether unauthorised people can physically get into your company's buildings, data centres or security areas, and we document in detail where people, processes or technology fail.

Most security budgets flow into endpoint detection, SIEM platforms, phishing training and vulnerability scans. But your EDR does not see an attacker who comes in through the side entrance: whoever is physically standing inside the building has already bypassed half of the digital defences. An attacker who walks unnoticed into a conference room needs neither a zero-day nor a sophisticated phishing lure. They plug an inconspicuous USB stick into a printer, place a network implant behind a desk or photograph the product roadmap off the whiteboard.

Physical security protects not just buildings, but also employees, sensitive information and valuable assets. We find the weaknesses before they can be exploited.

What we test

An assessment by slashsec is not a checklist exercise. We proceed like a professional attacker, with physical methods and social engineering blending seamlessly into each other.

Tailgating and on-site social engineering

Tailgating through secured entrances remains one of the most successful methods of getting past gates and turnstiles: with a stack of pizza boxes, a toolbox or simply a friendly smile at the right moment. On-site social engineering works above all with a plausible cover story, as an external technical contractor briefly checking the printer on the third floor, as an IT intern on their first day or as an auditor with a clipboard and forged credentials. Most employees want to be helpful, and exactly that is turned against the organisation.

Access controls and badge cloning

We test card readers, security gates and turnstiles as well as the processes behind them. Many companies still rely on RFID technologies such as Mifare Classic or EM4100, which can be read out within seconds using devices that cost less than 200 euros, often while the card is still in the outer pocket of a jacket. A cloned card then opens every door the original is authorised for.

Lock picking and bypass techniques

We open doors and locks with non-destructive methods such as lock picking, bumping and bypass techniques. This shows that even high-quality locking systems can be defeated without leaving traces, and which areas stand open afterwards: server rooms, archives, critical infrastructure.

Hardware implants and rogue devices

Once we are inside the building, it is about persistence. We place inconspicuous hardware such as mini computers, disguised USB adapters or manipulated keyboards at employee workstations, printers or conference room infrastructure. These devices establish an encrypted connection back to us and provide access to the internal network, without any external phishing wave. On top of that come keyloggers on endpoints, access to openly visible documents and, on request, simulated listening devices in conference rooms or board offices: not to actually eavesdrop, but to prove whether such devices would be noticed during a routine sweep inspection. The final test is often the simulated theft of laptops, hard drives or backup tapes. What matters is not whether it succeeds, but whether, when and by whom it is noticed.

Day and night scenarios

Attacker profiles and protective measures differ fundamentally depending on the time of day, which is why we deliberately separate two scenarios. A day assessment focuses on people and processes: tailgating, social engineering, badge cloning and exploiting human helpfulness, while the reception is staffed and the building is full of people. A night assessment focuses on the physical protective measures: lock picking, bypass techniques, sensors and above all the alarm chain. We deliberately trigger alarms and measure whether the guard service actually responds, whether the police are informed and how long it takes from the trigger to the first person on site. This response-time measurement is often the most sobering finding of the entire assessment, and at the same time the one with the greatest leverage for concrete improvements. Anyone who only tests during the day systematically overlooks the hours between 18:00 and 06:00.

How an assessment runs

Scoping and rules of engagement

Every engagement starts with a clearly defined scoping: Which sites? Which time windows? Which methods are approved, which are excluded? Which red flags trigger an immediate abort? These rules of engagement are agreed in writing and form the basis of the entire assessment, including a get-out-of-jail letter for our testers.

Reconnaissance

Before we even get close to a building, we map the site, on request also from the air. Drone footage reveals open roof hatches, unsecured light wells, poorly observed rear courtyards, parking areas without camera coverage or supplier entrances that stand permanently open during the day. In almost every assessment we find at least one weakness in the perimeter this way that was not visible from the ground.

Execution

During the test phase we combine the approved scenarios into one continuous attack chain under real conditions. You have permanent contact with a named person from the slashsec team, and we report daily in compact form on the activities carried out, without giving away the result. The outcome is not an abstract risk score but a concrete narrative: we came in through the north window at 22:47, stood in the server room at 23:14, and nobody reacted.

Report and debrief

After completion you first receive an executive summary with the key findings, followed by the detailed technical report and the management debrief. The total duration of a typical assessment is between two and six weeks, depending on the number of sites and the depth of the tests.

For an overview of the provider landscape and selection criteria, see our guide to physical security providers in Austria and the DACH region.

Combining physical access with red teaming

A physical security assessment can run on its own or as a building block of a broader red teaming assessment. In combination, the physical intrusion often delivers the decisive initial access: the planted network implant becomes the starting point for the digital attack, a path that purely digital tests cannot reproduce.

The two disciplines also interlock from a regulatory perspective. DORA and NIS2 demand a holistic approach to operational resilience and risk management, and physical security is an integral part of that. TIBER-AT explicitly allows physical attack vectors as part of a threat-led penetration test.

What you get

• Detailed report: every finding with a risk rating, CVSS-oriented and adapted to physical contexts, including photo and video documentation of each weakness. Readable for security leads, management and auditors.
• Prioritised recommendations: no generic textbook advice, but measures for exactly your sites. Often with quick wins that can be implemented within days, plus mid- to long-term investments with a clear business case.
• Management debrief: a personal presentation of the key findings for leadership and the CISO.
• Awareness material: on request, photo and video material from the assessment, prepared for internal training. Employees react differently when they see material from their own building instead of generic examples from the internet.

Frequently asked questions

What is the difference between a physical security assessment and red teaming?

A physical security assessment tests buildings, access systems and physical security processes. Red teaming pursues an overarching objective and combines technology, social engineering and physical access into one continuous attack chain. In combination, the physical intrusion often delivers the initial access that the digital attack starts from. You can also commission a physical security assessment on its own if you want to test your sites specifically.

Is a physical security assessment legal, and how is it authorised?

Yes, as long as it is approved by the rightful client, typically the management or the CISO, and contractually secured. Before every assessment we agree written rules of engagement: sites, time windows, approved methods and abort criteria. In addition, the testers carry a get-out-of-jail letter they can identify themselves with if security guards or the police intervene.

What happens if the testers get caught?

Then part of your defence has worked, and that is exactly what we want to measure. The testers identify themselves with the prepared get-out-of-jail letter, and the client is informed about the time window. In the night assessment we even trigger alarms deliberately to test the response chain of security guards and police. Real emergencies are ruled out through clearly defined abort criteria in the rules of engagement.

How long does a physical security assessment take?

The total duration is typically between two and six weeks, depending on the number of sites, the chosen scenarios (day and/or night assessment) and the depth of the tests. Preparation and reporting are included.

Are individual employees singled out?

No. We test the organisation, not individual people. Findings are documented anonymously: the report says that tailgating worked at the side entrance, not who held the door. On request we prepare photo and video material for internal awareness training, without putting employees on show.