Developing The Attacker's Mindset
How do you protect something if you don't know what you're protecting it from? What if your assumptions about security are shaped by regulations and policies rather than by the tactics and techniques of those who would break in?
When evaluating an organization’s defenses, it's crucial to adopt the mindset of an attacker—to think like someone who has every incentive to find and exploit the weak points in your system. Only then can you move beyond the illusion of security to a place of true resilience.
In cybersecurity and physical security alike, defenses are often designed with compliance in mind, focusing on checklists, best practices, and the installation of appropriate tools. However, being compliant doesn’t necessarily mean being secure.
Attackers don’t care about whether your organization passes an audit; they care about where your vulnerabilities lie. It’s this gap between compliance and offense where real risk hides.
This pot will focus on the concept of the attacker’s mindset and how to go about using it to evaluate security.
Offense, Defense & Compliance
A successful security strategy requires three vital components: offense, defense & compliance. These perspectives, though often viewed as separate, are complementary and essential to building a truly secure environment.
Compliance ensures that organizations have the tools, processes, and safeguards in place to meet regulatory standards. Compliance guys work to ensure that everything from firewalls to door locks meet established guidelines. Without compliance, organizations risk missing foundational elements of security, like encryption, employee training, and physical access controls.
Defense is how those tools are actively utilized by an organization to catch the bad guys. Without the defensive guys, you may have all the tools but nobody manning the gates.
Offense of course are the simulated bad guys, those who look at the defenses that are currently in place and find weak spots to exploit.
All to often oraganizations seem to find themselves missing one of these components, and when it comes to physical security it is alsmost always the offensive team. While a company would , or should, never take a security vendors word for how secure their product is without running testing, this is exact what all to often occurs in regards to physical seucrity.
In this video of a group “Palestine Action” was able to breach a weapon’s development and distribution company in Kent England despite that facility having all the compliance tools for physical security.
The group bypassed multiple fences with barbed wire atop, shatter resistent glass, security alarms and cameras, and a mag locked door all because through recon they discovered a route going from the outside to the factory that had minimum to no security.
When running engagements, looking for this route is key, you always want to be thinking asymetrically. What is the route that gets me where I want to go that has the least risk to my team with the highest probability of success at the minimum effort.
In this case, despite having both Compliance & Defense this facility clearly did not address their offensive side to test their security.
How Would You Secure This Room?
I once had a student during a covert entry course who asked a seemingly simple question: "You have a lot of expensive gear in this room, what lock would you use to secure it?" His question came from the mindset of someone focused on compliance—he was thinking about which lock would meet the standard. But an offensive thinker would approach the problem from a completely different angle.
I responded, "Let’s assume I put a lock on the door that nobody on Earth could pick or get through. Is the room secure?"
We discussed this for a bit and came to the conclusion the answer was a resounding "no." The room had European tilt windows that were often left open, allowing easy access from the outside. Even worse, after a bit of recon and some basic elicitation, we discovered that the cleaners had a master key for the building, and that key was hanging in a closet on the first floor, protected by a cheap wafer lock.
So, no matter how incredible the lock on the door was, an attacker wouldn’t need to bother with it. They’d simply exploit the windows or the poorly protected master key to get in.
This is the essence of the attacker's mindset—focusing on the weakest points in a system rather than the strongest. Looking for a series of vulnerabilities that individually are usually small, but put together become catastrophic .
Delta Force vs. The White House
The US Secret Service (USSS) learned a powerful lesson about the attacker's mindset when they invited Delta Force to test their defenses at the White House. This was in the days before several high-profile breaches and attempted assassinations tarnished the USSS’s reputation, back when their security was seen as world-class.
When tasked with the challenge, the Secret Service responded like any well-trained defender would: they beefed up the perimeter, added more personnel, and conducted extra checks on vehicles and individuals entering the area. They reinforced their existing security layers, confident that more resources and vigilance would deter or stop any breach.
However, Delta Force didn’t approach the situation like a defender. They thought like attackers. Instead of trying to overcome the added manpower or fortified perimeter, they looked for a way around it. The airspace over Washington D.C. is some of the most restricted in the world, with even the smallest unauthorized drone facing serious consequences. But Delta wasn’t thinking about drones or trucks.
They took a military transport plane up to 30,000 feet and performed a HALO (High Altitude, Low Opening) jump, free-falling directly into the restricted airspace over the White House around 4am. By the time the USSS snipers realized what was happening, it was too late. Delta Force operatives had already landed on the White House lawn and were walking in the White House. They had bypassed every single perimeter defense the USSS had put in place.
This story illustrates that no matter how strong your defenses are, attackers will always look for creative ways around them. Thinking like a defender—reinforcing known vulnerabilities—can only take you so far. Thinking like an attacker—finding new, unconventional points of entry—is what will truly test your security.
Conclusion
Defense, Offense & Compliance thinking must work hand in hand. These mindsets are all required in order to best secure a facility and overlooking any of them is often what causes the asymetrical oversight that leads to catastrophic compromise.
To truly secure your organization, it’s not enough to follow the rules or install the best equipment. You need to think like the people who want to break in. Whether it’s a cheap wafer lock guarding a master key or an elite military team bypassing high-tech defenses with skydiving maneuver, attackers will always find the path of least resistance.
And that’s the mindset you need to adopt to stay one step ahead.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Physical Audit Training - 2 day course on how to setup and run a physical security audit
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Counter Elicitation - 2 day course on how to recognize and prevent elicitation attempts, and safegaurd your secrets.
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.
Private Instruction - Focused learning & training based on your needs .