Getting Started with Physical Pentesting - Making the Sale
I decided to write this article for those who are wanting to get into physical pentesting but are having trouble selling the concept either to your boss if you work internally, or to a client if you are something like a consultant.
I have played both roles over the years and learned how to sell physical pentests to both in dozens of industries and situations. This blog will hopefully teach you a simple method I have used to help you to actually get a physical pentest sold and for you to do the engagements you want to.
I have previously written about how to sell physical pentests for those in sales, which you can read here.
I Have Used This Approach For Years & the TLDR
One of the biggest hurdles physical pentesters have is that many companies and organizations literally do not know that such a service exists and further, have no idea what the value of such a thing would be. As a result, it is your job to both educate the client on the topic while also getting them to pony up a lot of money for the test.
In my experience, attempting to do all of this, especially with client you don’t have an excellent relationship with already, is going to fail in most cases.
Instead of trying to make the sell all at once, use an existing agreement, like a cyber pentest, to leverage a physical pentest. The high level summary of this post is effectively this:
Perform a security service (like a cyber pentest) for a customer
Ensure that you act professional and build rapport with the client throughout the engagement you are performing
Now that the client sees you as a expert in security, as a professional person and hopefully someone who has rapport with them, you can sell your new service (the physical pentest)
Towards the end of the engagement, explain to the customer the need for a physical pentest and while their cyber defenses are good, a physical attack would render all such cyber protocols useless
Often doing a quick demo onsite is an excellent selling point; perhaps showing how their ID badge could be cloned, or how they leave a back door open during lunch hours, etc.
Lets get into a bit more detail
Leveraging Cyber Pentests to Propel Physical Ones
The journey from cyber to physical starts with trust. If you've already conducted a cyber pentest, you've established:
Expertise in Offensive Security: Your client has seen you work your magic, identifying vulnerabilities and revealing how they could be exploited.
Rapport with the Client: The cyber pentest journey, which involves periodic updates, insights, and final reporting, fosters a bond with the client. They've trusted you with their most sensitive digital assets.
With this foundation, you can easily transition the conversation to physical security. Here’s how:
1. Draw Real World Comparisons
If you have either personally, or know of someone who has performed physical pentests, use examples that are comparable to your current client. Having pictures or short videos on hand that can demonstrate your point is an excellent addition. Be prepared for a quick 2-5min pitch that demonstrates a similar situation to their organization and how you were able to get inside and what you did (again pictures are a huge plus here).
2. Present a Holistic Security Model
Emphasize that a truly resilient company safeguards against both digital and physical threats. Mention high-profile cases where physical breaches led to digital disasters.
3. Showcase the Bypass Potential
Highlight how someone with physical access could plug in malicious USB devices or compromise network hardware. Even if they have top-tier digital defenses, these can be rendered useless with physical access.
If you are onsite check for doors where latch slipping is possible, check if their ID badges are clonable, or other ways an intruder may simply gain entry into the building. If you already have a few pictures or evidence you can innocently show the client all the better.
4. Offer Bundled Services
Give them an irresistible deal. Offer discounts or bundled services for clients willing to go the extra mile for security. For example, a comprehensive package that reviews both cyber and physical defenses could be both financially appealing and strategically wise for the client.
Many clients wont have the budget for a group of pentesters full time for weeks to perform a physical pentest; consider a range or such services you could offer at varying pay scales for different budgets.
5. Offer a Mini Physical Pentest
Nothing sells like a live demonstration. If feasible, offer a mini physical pentest – perhaps testing the security of one small area or attempting a simple entry. A successful mini-test can be an eye-opener, urging the client to consider a full-scale physical pentest.
Often something as simple as cloning an ID badge, tailgating into the office, etc may be all that is required to convenience the client of the need for a full test.
The Power of Rapport: Making Physical Pentests an Easier Sell
Shifting to rapport building for a moment. Realize that the more rapport you have with a client, the more likely you are to get that test you want. Therefore, building rapport should be a cornerstone of every professional interaction you have.
This isn't just about showcasing expertise; it’s about forging a relationship grounded in trust, mutual respect, and understanding. Rapport is your secret weapon in extending your services to physical pentesting.
1. Moving Beyond the Transactional
Clients are inundated with transactional relationships daily. From the vendors they deal with to the many service providers they engage, most interactions are strictly professional and limited in scope. When you invest in rapport building, you move beyond being just another vendor. Instead, you position yourself as a trusted security advisor. This trust is pivotal when suggesting additional services like physical pentesting.
2. Open Lines of Communication
Good rapport ensures open communication. If a client feels they can discuss their cyber vulnerabilities without judgment, they’re more likely to heed your advice regarding physical vulnerabilities. An open dialogue means the client is also more likely to share concerns, objections, or questions about physical pentests upfront, giving you a chance to address them immediately.
3. Tailored Recommendations
A strong relationship allows you to gain deeper insights into a client's business, its culture, and its unique set of challenges. This insider knowledge empowers you to tailor your physical pentest proposal to match their specific needs, making it more relevant and appealing.
4. Humanizing the Process
At its core, security is about protecting people, assets, and interests. Building rapport humanizes an otherwise technical process. When clients see you as a person genuinely interested in their security and not just a technician doing a job, they're more inclined to consider your holistic suggestions.
5. Facilitating Referrals
Clients who have a good relationship with you are not only more likely to invest in additional services but are also more likely to refer you to others. As they vouch for both your skills and your professionalism, this can open doors to other businesses considering physical pentests.
6. Easing Concerns
Physical pentests can be a bit more intrusive and intimidating to some clients. They might have concerns about disruptions, potential damages, or even corporate espionage. With an established rapport, these concerns are easier to address. A client who trusts you will believe that you have their best interests at heart and that you’ll conduct the pentest with utmost professionalism.
7. Little Favors
Throughout your other engagements or interactions with the client, offer little favors such as: getting them coffee, asking them how they are, being willing to stay a few minutes late or arrive a few minutes early if requested.
These little favors will help to build a solid relationship with your client, and as such will improve your odds of getting that new contract.
Put a different way, if you showing up 10min early each day and getting them a coffee from the dinning hall gets you a huge physical pentest contract, its honestly a small price to pay.
In Conclusion
Physical pentests are often expensive and a completely new concept to many clients (even large companies). Instead of attempting to simultaneously educate on the need for and sell the physical pentest, leverage an already existing service you have contracted with them, like a cyber pentest, to help you sell another service.
And of course never underestimate the power of rapport building. Good luck and have a good pentest.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.