A Return To Escape Clauses

One of the reasons why physical penetration testing is so difficult is the knowledge that you may get caught … While this seems incredibly obvious, think about the situation a little bit and ask yourself if it actually has to be an inevitability that once you are stopped, the game is over.

Whether you simply look suspicious, bump into a security aware employee or even set off an alarm, getting caught in this way, doesn’t have to mean that the engagement is finished.

As I have written about before, this is where your escape clause comes into play.

What Are Escape Clauses?

An escape clause is the strategy or story you deploy to explain your presence, deflect suspicion, and exit a scenario gracefully when confronted. It’s not just about having a plan but also being able to adapt that plan to the context and sell it convincingly under pressure.

For example:

Upon entering into your target building, an employee stops you and asks why you are there. You may respond with a back and fourth about how you have a job interview at the location set for 30min in the future.

You: “Oh I have a job interview here in 30min”

Employee: “I don’t have you on the schedule, are you sure you are at the right place?”

You: “Isn’t this 345 Street?”

Employee: “No thats next door”

You: “Oh sorry google maps lied to me, I have to run.”

Now, this escape clause isn’t really good and thats because a good escape clause needs to satisfy two things:

1. You can leave the situation without suspicion

2. You need to be able to return to the location later

While the above example will likely meet requirement 1, it will be difficult to argue how it could satisfy requirement number 2. I encourage you to think of how you would handle the above situation and what escape clause you would use that meets both requirements.

Why Escape Clauses Matter More Than Any Other Skill

Skills like lockpicking, bypassing, building scailing, etc are all very useful but the only skill that will allow you extra lives if you make a mistake, or find yourself on the wrong side of luck, is the escape clause.

Being a master of this one skill, allows you extra attempts when breaching into buildings. It gives you confidence that if you are stopped or if something goes wrong, you can exfiltrate yourself from the situation without blowing the engagement.

And, possibly just as importantly, it removes a great deal of stress from you and your teammates if they know that getting caught is no big deal.

I want you to imagine that you are in the process of breaking into a bank that has active guards patrolling the facilty. You have decided that you are going to walk into the bank with a fake work order and explain to the front desk that you are there to fix something inside and you are going in alone.

As you approach the building, your heart is probably pounding, your stressed, nervous and trying not to sweat through your shirt.

That stress and nervousness is the experience of almost all black team members their first few engagements … But if you could simply remove all that stress from the situation and ensure that if you are stopped or questioned its no different than giving someone directions to the local cafe … no big deal at all.

Mastering this skill gives you options, it resolves stress and its why it is the single most important skill for any black team member.

By contrast, imagine you send one of your teammates inside the target building to do some embedded recon, where they get stopped and questioned by an employee and this is their response

Scripted vs. Improv Escape Clauses: Two Sides of the Same Coin

Escape clauses come in two main varieties: scripted and improvised. Each has its place in the toolbox of a skilled penetration tester, but understanding the strengths and limitations of both is crucial to successfully navigating high-pressure situations.

Scripted Escape Clauses

These are carefully planned and rehearsed scenarios that you’ve prepared in advance. Scripted escape clauses are particularly useful when you anticipate a specific confrontation or need a detailed cover story to support your role.

Key characteristics of scripted escape clauses:

• Preplanned: You’ve thought out the story ahead of time and practiced it, often including contingencies for likely questions.

• Supported by props and teammates: Props like uniforms, fake IDs, or work orders can reinforce your story. Teammates may also be in on the plan, ready to vouch for your cover or provide assistance if needed.

• Highly convincing in predictable situations: When the scenario plays out as expected, a scripted escape clause can make you seem entirely legitimate.

Example: You’re posing as a maintenance worker with a toolbox and a forged work order. Security stops you, and you confidently explain that you’re there to repair the HVAC system on the third floor. If they call a contact listed on your work order (a number routed to a teammate), your story holds up.

Improv Escape Clauses

Improvised escape clauses come into play when you’re caught off guard, unprepared, or when your scripted plan doesn’t hold up to scrutiny. These require quick thinking, adaptability, and the ability to stay calm under pressure.

Key characteristics of improv escape clauses:

• Unscripted and reactive: You’re creating the story on the spot, often based on the environment and the behavior of the person confronting you.

• Lack of props or backup: You may have no tools or teammates to support your story, relying entirely on your demeanor and creativity.

• More common in real-world scenarios: Even the best-scripted escape clause can encounter unforeseen questions or challenges, forcing you to pivot and improvise.

Escape Clauses Are Mutable and Context-Dependent

Escape clauses must evolve with the situation. A response that works in one scenario may fail spectacularly in another.

For instance:

• Outside a building: If questioned by someone on a public street, you could confidently say, “I’m out for a walk—why are you asking?” In this context, being defensive or turning the question back on them feels natural and appropriate.

• Inside the building: That same response would immediately raise alarms.

This mutability means you’ll rarely rely on scripted escape clauses alone. Situations often evolve in unpredictable ways, forcing you to switch to improvisation.

Real-Life Scenarios: Escape Clauses in Action

During an enagement, I had managed to elicit useful information from the receptionist in that this establishment had a cleaning crew that showed up every evening around 6pm. Having watched from a nearby bar, I noted that the cleaners indeed arrived each evening at the correct time, and always entered from the front entrance with all their cleaning gear.

After scouting the building, I noted that if I went up a few floors there was a sharred terrace between my client’s building and another. My plan was to breach the rear entrance just as the automatic lights turned on at 6pm. You can read more about how and why I chose this method here, but to be brief, the cleaners first move upon entering a building after hours will be to turn off all the alarms, and as the lowest and least skilled employees they are also unlikely to question me if I dress like an employee working after hours.

My scripted escape clause was focused on the cleaning staff. Since I expected all the regular employees in my target building ot be gone, if stopped and questioned by the cleaners, I would pretend to be an overworked employee, in the office after hours trying to finish a project. Having printed a convencing employee ID badge and wearing a similar badge holder, I was confident I could sell both the cover story and an escape clause if needed to the cleaners if questioned.

Preparing to infiltrate the building just before 6pm, I am on my knees with my breaching gear on the door at 5:50pm I am simply waiting, when in the glass reflection I see the image of a very concerned looking woman from the neighboring business who is bringing a phone up to her head to make a call.

I hadn’t planned for this and had no scripted escape clause ready for employees of other businesses, but this is where an improv escape clause comes into play. I put my tools down, take out my phone and begin a rather loud conversation with myself that i hope she can hear, pretending to be on a call that is annoying me that goes something like this

Me: “John, we were suppose to have this door replaced for the client 30min ago, why aren’t you here?”

(brief pause)

Me: “Look I have the kids tonight and I have to get home to make dinner, when will you get here?”

(brief pause)

Me: “Fine, just hurry up and get here. It’s raining outside, and this is going to take 20min once we get started and I still need to get home and cook dinner …”

Now, the entire time this fake conversation is going on, I am allowing my body to be animated, raising my voice in a believable manner due to my “frustration” but I am glancing at the woman’s reflection in the glass to see that as this goes on, her phone is slowly being lowered and her concerned expression is beginning to go away. I never turn towards her during my phone call, instead keeping my back to her the entire time to make her feel comfortable.

Once, she has put the phone away, I end the call, put the phone in my pocket and turn around, pretending to be surprised someone is watching me and give the woman a socially expected but obviously disingenuous smile (as one would expect from me in this situation).

I used this escape clause because replacing the door explains why I have random tools in front of the door and why I am here at night after hours.

Notice that I never actually spoke to the woman, instead I allowed her to hear me and my escape clause, and allowed her to think she was listening into a private conversation rather than approach her and attempt to sell my story. By keeping my back to her, she felt more comfortable listening into “a private conversation”, and I wanted her to keep listening until she fully accepted my story.

How to Build and Execute Strong Escape Clauses

1. Prepare Pretexts in Advance Have at least two to three plausible stories tailored to your role and the environment. Research the building, its operations, and personnel to create credible cover identities.

2. Practice Improvisation Escape clauses are often improvised under pressure. Practice thinking on your feet with mock confrontations. Roleplay with teammates to hone your ability to adapt to unexpected scenarios.

3. Commit to the Role Confidence sells the story. If you hesitate or overexplain, suspicion rises. Act as if you belong, and most people will take you at your word.

4. Use Props and Details Small details make lies believable. A clipboard, ID badge, or branded uniform can reinforce your story. Mentioning specific names, departments, or tasks adds authenticity.

5. Stay Calm A panicked response will undermine the best escape clause. Slow your breathing, maintain eye contact, and speak in a measured tone. People trust those who appear confident.

Conclusion

Among all the skills you could master, escape clauses are the only non-negotiable one. They are the difference between a successful engagement and a botched mission. Whether you are a team member or a team lead, ensuring that everyone has mastered escape clauses will give you confidence and lower stress which drastically improves your likihood of success.

No matter how specialized your role is on a black team, your ability to create and execute a believable escape clause is what ensures you can continue the mission—or at least walk away unscathed when things go wrong. Master this skill, and every other facet of penetration testing becomes significantly more achievable.

Training Resources:

For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.

• Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists

• Physical Audit Training - 2 day course on how to setup and run a physical security audit

• Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming

• Counter Elicitation - 2 day course on how to recognize and prevent elicitation attempts, and safegaurd your secrets.

• Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.

• Private Instruction - Focused learning & training based on your needs .

Comments

[Rick Henderson]

Incredible article. Just thinking about doing a physical penetration makes me nervous :)