Getting Started With Black Teaming In 2025
Physical security is something that I assume everyone who reads this blog is interested in, and so with the new year kicking off, I thought it would be a good idea to give some suggestions for people looking to take their first steps into the field.
If you’re looking to start your journey into becoming a physical security auditor or penetration tester in 2025, here are the key steps you can take today to prepare for this career.
As always, this list is intended for people who want to get into lawful penetration testing and not any criminality … obligatory legal disclaimer
1. Do a Personal Skills Assessment
To succeed in physical penetration testing, you need to understand your own strengths and weaknesses. Every Black Team member brings something unique to the table, but knowing where you currently stand can dictate how you approach engagements. Start by evaluating yourself in these core areas:
Social Engineering: Are you a natural conversationalist or someone who avoids eye contact? Social engineering is often the most critical skill for daytime breaches.
Building Scaling: Do you have the physical fitness and climbing skills to access higher floors or hard-to-reach areas?
Lockpicking and Bypassing: Can you pick a padlock or bypass a door latch quickly? Are you proficient with tools like bump keys or shims?
Alarm Bypassing: How confident are you in dealing with sensors, alarms, and motion detectors?
Recon: Are you good at gathering information about a location beforehand?
Hacking: Once your team is inside the building, or sometimes even before, you may need to use some of those cyber skills to accomplish your goals.
Mission Planning: Do you excel at organizing tasks, coordinating with others, and managing time effectively?
Ask yourself: Where do I currently excel, and what needs improvement? The skills that you have will dictate the direction that your engagement takes and the routes that you create to gain entry and bypass security.
If you’re a lockpicking master but but completely socially inept, your engagements will likely focus on bypassing physical barriers and avoiding direct contact with staff. On the other hand, if social engineering comes naturally, you might build plans around employee interactions, impersonating third parties or even eliciting key information or gaining favors from employees.
There is often a big difference between where people see their own skills and where they actually are.
When performing a skills assessment, really ask yourself what your skills are not where you think they are. However, if your current skill level is lower in one area than you would like, make 2025 the year you increase that niche to where you want it to be.
2. Practice Spotting Vulnerabilities Everywhere You Go
Physical penetration testing starts with observation. Every time you enter a new building—whether it’s a grocery store, office, or hotel—practice spotting vulnerabilities. Here are some things to look for:
Security Features: Cameras, motion detectors, alarms, badge scanners, locked doors. What do they protect? Are there any gaps or weaknesses?
Employee Behavior: Are employees wearing badges? Do they leave doors propped open? Is anyone tailgating?
Dead Zones: Are there areas that cameras & sensors can’t see? Blind spots near corners or stairwells?
etc etc
The next time that you go into the grocery store for instance look around as you enter, and try to mentally map out the security layout of the building. What are they doing right, what are they doing wrong and see how many things you can spot. This is effectively your time to practice embedded recon, and you can do it at any establishment you find yourself in from the office, the gym, a cafe, anywhere.
Just don’t be overly suspicious at places where security is very high like an airport as I would hate for you to miss your flight because you were staring at the security cameras a little to long.
3. Get Comfortable Talking to Strangers
Physical penetration testing often forces you to choose between battling "men or machines." If you decide to perform a daytime breach, you’ll be interacting with people—whether it’s through direct social engineering, tailgating, or even casual chats to gather intel, directly interacting with people will be inevitable.
By contrast, if you decide the best time to bypass security is at night, than you will find yourself battling the machines, the alarms, sensors and cameras. But the majority of black teams will deal with employees a lot and thus you need to be comfortable at interacting with total strangers.
I have written a lot about elicitation, and social engineering, but when you are first starting out, don’t focus on getting the really good information out of someone, simply start by trying to talk to them and have that as your only goal.
The next time you find yourself at a grocery store, when you get to the cashier try striking up a conversation with them. Don’t set any goals for yourself other than to get a conversation to go beyond “Hi”.
A good roadmap for such things is:
Practice & get comfortable walking up to anyone and engaging in a conversation. This is harder than people think, especially at first, so practice talking to all types of people in different situations to break out of that awkwardness.
Try to get your conversations to last a few minutes. Now that you are comfortable engaging anyone in conversation, set a goal to get that conversation to last for a set period of time. Rapport is something that will come easier the longer a conversation lasts … so get it to last.
Try eliciting a really simple piece of info. You can now walk up to anyone and chat, and most of the time you can get those conversations to last a few minutes at a time, so now actually have a few small goals in mind you want to learn. Nothing big yet, just simple things like “where are you from”, “How old are you”, etc
Try eliciting key information. You are now ready to attempt to get some good and useful info. The next time you talk to a stranger, pick a piece of more difficult info to learn from them. Instead of asking “where are you from”, try “what is your exact house number?” Instead of “how old are you”, try “How old were you when you first met your wife?”
When practicing these things remember they take time, each step may take months of practice before you feel comfortable moving onto the next one, but once you have you will have gained a lot of skill.
One thing you can also try to work in here is a cover story. There is no reason why you have to be you when practicing elicitation and social engineering, you can practice being anyone you want to be.
HOWEVER, remember that anytime you deal with other people you need to have and be ready to use your escape clauses !
4. Practice Planning Missions
When people first step into black teaming, the tend to get really excited about the fun aspects of it, repelling down a building, bypassing alarms in the middle of the night, eliciting employees and gaining trust, etc. But they also tend to overlook the planning aspect which is a huge part of the job.
Choose familiar locations like your home, workplace or someplace you frequent. Define a clear objective, such as reaching a server room or bypassing a specific door. Start by mapping out the phases of your plan:
Reconnaissance: What intel can you gather remotely or through observation? what types of recon are useful to you? For example, you likely won’t be doing short range recon at a power plant in the middle of nowhere. What types of recon do you have the equipment for and what are you good at? If you are terrible at OSINT, than this likely will be of no use to you, similarly if you are amazing at long range recon, but lack a camera or telescope, well this is likely not at option.
Entry Points: Identify how you might access the target. Are there locks to bypass, badge systems to exploit, or alternative routes like rooftops or side entrances?
Route Planning: Chart the path from entry to objective, noting obstacles and chokepoints. Plan alternate routes in case your first choice is compromised. Look at the list of vulnerabilities you have discovered and which of these can you put together to form a route going from the outside of the building to where ever it is you have set as your goal?
Gear & Equipment: what equipment does your team actually have to use for this engagement, and what are you proficient at?
Movement & Staging Points: How are you getting to and away from the target building, by car, foot, etc? Where is all your gear being stored while you are inside or doing recon?
Anticipate Challenges
Think through worst-case scenarios. What would you do if confronted by staff or if a key system doesn’t work as expected? Build contingency plans for every step. Having escape clauses is a MUST for any engagement, and remember your escape clause needs to be mutable.
If you are stopped by a guard while walking outside the building on a public street, saying something like “I am just out for a walk, why are you stopping me?” may be enough. But this excuse likely won’t be useful if the same guard stopped you inside the building.
Refine the Details
Team Composition: What skills are required? If working with others, assign roles (e.g., lockpicker, recon specialist). If you are breaching a mainframe, well ensure you have someone who knows how to do that.
Timing: How much time would each phase of the mission require? Is a daytime or nighttime approach better suited to your plan?
Practicing mission planning sharpens your strategic thinking and prepares you for real-world engagements. The more you plan, the more adaptable and effective you’ll become.
In the real world you will often find that you fall back to plans and strategies you have used previously, so having already walked through many scenarios, even if it is only in your head, will speed up the process and hopefully you will have already polished out some awesome ideas.
Conclusion
2025 is a great year to start your journey into physical penetration testing. The list I provided above is something that everyone can start practicing and working on today. You don’t need any budget or extra gear to start working on your skill sets and all of these things will help you on real world engagements.
Remember, penetration testing isn’t just about breaking into buildings—it’s about identifying weaknesses to help organizations become more secure. Approach every training session, recon mission, and conversation with that goal in mind, and you’ll be well on your way to a rewarding career in physical penetration testing.
So, where will you start today? Will you practice lockpicking, plan a hypothetical mission, or chat with a stranger? I hope that you all have some fun engagements in 2025.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Physical Audit Training - 2 day course on how to setup and run a physical security audit
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Strategic Operations for Lone Operators - Advanced course for those who are interested in learning how to become a one man infiltration team.
Counter Elicitation - 2 day course on how to recognize and prevent elicitation attempts, and safegaurd your secrets.
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.
Private Instruction - Focused learning & training based on your needs .