From Break-In to Breakthrough: Securing Your Client’s Facility After a Penetration Test
How do physical penetration testers consistently break into facilities that pride themselves on being secure? The answer lies in relentless practice and skill refinement. Social engineering, elicitation, lock picking, bypass techniques, and countless other methods are honed over hundreds of hours to ensure black teams can reliably breach even the most challenging defenses.
Breaching a building—often viewed as the pinnacle of a penetration tester’s work—is undeniably impressive and represents a culmination of expertise. Yet, this accomplishment is only half the job.
The other half, and arguably an equally challenging part, comes afterward: securing the facility. A successful black team engagement doesn’t end with gaining unauthorized access; it continues with helping the client close those gaps so effectively that even the team that breached it would find it nearly impossible to do so again.
It’s this crucial, collaborative phase that tests a penetration tester’s ability not just to identify vulnerabilities, but to translate them into actionable, cost-effective solutions tailored to the client’s unique needs. This is where many testers face a whole new challenge—and where the true value of a penetration test is realized.
Breaking Is Not Your Goal — Building Better Security Is
A new kind of difficulty comes after the breach: collaborating with clients to fix the problems in ways that are practical and sustainable, is often just as challenging as actually gaining access to a facility.
This process is nuanced, especially when organizations face limitations in budget, time, or resources. A successful engagement doesn’t end with a report listing vulnerabilities; it ends with a plan to patch those vulnerabilities and make the building as secure as possible.
Let’s consider a common scenario:
The Case of the Cloneable ID Cards
Suppose your assessment reveals that the client’s access control system uses cloneable ID cards. You recommend upgrading to something like MIFARE DESFire v2 or v3 cards, a more secure alternative. However, the client raises two concerns:
Budget constraints: They can only afford to upgrade 25% of their facilities each year, meaning full implementation would take four years.
Future-proofing concerns: Your client, while considering your recommendation asks you, “What if DESFire v2 is compromised in the next year? Would they need to invest in yet another upgrade, and if so to what?”
These are legitimate challenges that require careful navigation that you may face from a client. I highly encourage you to take a moment and try to answer these questions as if you were in this exact situation. When doing so, consider the following:
Does your suggestion negate the problem / vulnerability?
Can the client afford your solution?
Would your suggestion stop you and your team from utilizing the vulnerability and breaching the building?
Does your solution solve the problem in the short term or long term?
These types of challenges are not easy and while you may have your own “gold standard” of how to resolve a vulnerability, due to the client’s concerns or limitations you will very often find yourself creating hybrid and novel approaches to resolve the issues.
Effective Attack Vectors & Their Mitigation
I have written about how to write a physical pentest report here, but I want to address the difference between vulnerabilities and attack vectors.
A short, a vulnerability is anything you could or did take advantage of when breaching the building, such as a cloneable ID card. An attack vector or route, is a chain of vulnerabilities you could or did take advantage of to compromise the facility.
Lets return to our scenario above of an organization using cloneable ID badges and lets further assume that, employees wear their IDs to a public cafe next door to the office, and staff never question anyone wearing a valid ID.
So here you have three vulnerabilities that together make an attack vector. Use a long range card reader at the public cafe to clone an employee badge and take a photo of it from a hidden camera to create a valid employee ID. Using this ID with your name and picture employees will not stop or question you, allowing full access to the facility and compromising your client’s security.
Now, if your client says for any reason that they cannot upgrade ID cards to something that is uncloneable, but you offer the following suggestion
Use a card reader that requires a card and PIN
This alone does not resolve any of the vulnerabilities listed above, but it does disrupt the presented attack vector. Then the question for you and your team is,
“Is it possible for attackers to discover or guess the PIN in an easy and reliable manner?”
If the answer is no, that attackers cannot do so, than you have effectively disrupted the attack vector without actually resolving the individual vulnerabilities.
Obviously, this is not an idea resolution nor a “gold standard” , but you will likely be required by your client’s constraints to deviate from your ideal solutions and you need to be prepared to do so.
That said, it is ideal to create solutions that work together to create a security in depth model where the entire security doesn’t rely on a single point of failure.
Suppose you suggested the addition of a PIN code to the cloneable ID cards to your client with the following suggestion as well.
Cost-Effective Security & Novel Ideas
As an example of trying to come up with novel security ideas that actually work, and one that I have talked about before on this blog is the CAT program. You can read more about it here, but to summarize you have to get employees involved in your security.
This is accomplished in two steps:
Every employee is guaranteed they will not be punished for stopping someone or calling security on suspicious people so long as they do it professionally
Incentivize employees with time off, or something similar that they want and the company can afford.
The actual plan goes something like this,
Once per quarter or month (the frequency is up to you but i recommend keeping it pretty common), an unknown person will wander through the facility and the employee who either professionally stops them or calls security gets a few days of paid time off …. thats it.
Paid time off is something nearly all organizations can afford and its something every employee really wants. By keeping this occurring regularly enough employees will always be scanning for the intruder and as such drastically increases your daytime security.
This exact plan can be extended to rogue devices by showing employees what things like keyloggers, man in the middle devices and common bugs look like and then periodically placing them in key locations. Once again, the employee who discovers and reports them gets some time off work.
You won’t find the CAT program in a compliance checklist … yet :D … but it is an example of something you can come up with that will help your client to increase their security without breaking the bank.
I encourage you all to formulate your own strategies, programs and policies that meet these types of requirements.
Being Ahead Of Your Clients
When you run a penetration test or an audit, you will almost always come across issues where your first recommendation cannot be done by the client for one reason or another.
Given this almost certainty, it would be in your best interest as a professional to think about the most common types of vulnerabilities you may encounter on a physical pentest and then formulate solutions, both what you would consider to be “gold standards” as well as novel and cost effective approaches.
Cloneable badges
Abusable REX sensors
Security cameras that can be deauthenticated
Lack of employee engagement & awareness
Vulnerable doors and windows
etc etc
These are all common vulnerabilities that you may both encounter and exploit on your engagement. Beforehand, think of how you would resolve these and other vulnerabilities and what you will suggest if the client says something like “we cannot afford that solution right now.”
Conclusion: The Penetration Tester’s Responsibility
A successful physical penetration test doesn’t just expose vulnerabilities—it helps the client overcome them.
Whether it’s finding cost-effective ways to upgrade cloneable ID cards or building security-in-depth models, the endgame is the same: to make it as difficult as possible for someone—anyone—to break back in. The process requires creativity, collaboration, and a commitment to tailoring solutions to the client’s needs and constraints.
Your job isn’t really finished until you have helped them to secure your facility, ideally to such a degree that even you would find it extremely difficult to breach it.