Introduction: The Physical Attack Surface Is Making a Comeback

As organizations invest heavily in securing digital environments, attackers are increasingly looking for easier paths around those controls. Instead of attempting to bypass sophisticated security technologies, they are exploiting something far simpler: physical access and human trust. Across the red teaming assessments carried out between late 2024 and early 2026, SISA’s team repeatedly gained access to restricted facilities, sensitive systems, and critical operational environments without exploiting a single software vulnerability.  

Across every engagement that included a physical scope, SISA's red team successfully breached the physical perimeter using low-tech techniques that ranged from tailgating and forged employee IDs to cloned RFID cards and fabricated audit authorizations. In multiple cases, red team attackers obtained access to server rooms, CCTV monitoring systems, customer file storage, and vault areas.  

The findings reinforce an important reality: Physical security remains one of the most overlooked attack surfaces in enterprise security programs. This blog dissects the findings to shed insights on missing controls and lapses, while recommending defensive measures to fortify on-site physical security.

What SISA’s Red Team Found During Physical Security Assessments

1. Tailgating and Forged IDs Worked at Every Location

One of the most consistent findings across SISA’s red team exercises was how easily red team hackers could blend into everyday operational activity. In every physical security assessment, SISA’s team found forged employee badges and social engineering techniques successfully bypassed reception and access controls. Common techniques included tailgating through service and back entrances, entering during lunch-hour traffic, using delivery personnel movement as cover and replicating employee badges from photographs taken in common areas. In one assessment, a Raspberry Pi device was carried inside a pocket to bypass bag inspection procedures entirely.

Defensive priorities

• Require individual authentication at entry points

• Implement escort-only policies for visitors

• Train all employees to challenge unfamiliar individuals

• Strengthen visitor management processes

• Monitor secondary entrances as closely as primary access points

2. RFID Card Cloning Remains a High-Impact, Low-Effort Attack

Access cards are often treated as trusted credentials. Across several engagements that SISA’s red team carried out, they became one of the easiest paths to unauthorized access. In one assessment, a low-frequency RFID card was cloned in less than two minutes after being left unattended on a meeting room table. The cloned card provided access across multiple floors and departments without raising suspicion.

The underlying issue was not employee negligence alone. Many organizations continue to rely on legacy RFID technologies that lack cryptographic protections and mutual authentication mechanisms, making them inherently susceptible to cloning.

Defensive priorities

• Upgrade to encrypted smart-card technology

• Require additional authentication for sensitive areas

• Monitor for duplicate card usage patterns

• Educate employees on access card handling

3. Fake Audits Opened Doors to High-Security Areas

Perhaps the most revealing finding across engagements was the effectiveness of authority-based social engineering or pretexting. Using fabricated authorization letters styled as PCI DSS Requirement 9 audit documentation, red teamers persuaded branch personnel to grant access to CCTV monitoring rooms, vault areas, server rooms and customer file storage locations. No independent verification was performed before access was granted. In some cases, credentials used to access CCTV systems were observed and recorded during the visit itself.

Defensive priorities

• Maintain centralized auditor authorization records

• Require independent verification for all audit requests

• Implement real-time validation mechanisms

• Conduct social engineering simulations and tabletop exercises

4. Brief Physical Access Was Enough to Establish Persistence

Physical access does not need to last long to create significant risk. During one engagement, a KeyCroc hardware keylogger was connected to an unattended workstation during a low-occupancy period. The device remained undetected and captured credentials throughout the day. In a separate scenario, a USB Rubber Ducky executed commands within seconds because endpoint controls focused on storage devices rather than human interface devices (HID). Both attacks required only moments of unsupervised access.

Defensive priorities

• Enforce aggressive workstation lock policies

• Restrict unauthorized HID devices

• Monitor unusual USB device activity

• Alert on suspicious scripted keyboard behavior

SOC Playbook: Physical Breach Detection & Response

Physical attacks rarely remain physical for long. Once attackers gain access to facilities, the objective typically shifts to credential theft, unauthorized system access, device implantation, or lateral movement. This makes early detection and rapid response critical.

Based on patterns observed during SISA’s red team engagements, SOC teams should prioritize detection and response actions around device registrations, physical access management, RFID cards and credentials use.

Detection Priorities

Security teams should monitor for:

• New USB HID device registrations on endpoints  

• RFID cards appearing at multiple locations within impossible timeframes  

• Activity on secondary entrances outside normal operating hours  

• Authentication activity from dormant accounts  

• Unusual workstation activity following physical access events  

Response Priorities

When a physical security incident is suspected:

• Isolate affected endpoints immediately  

• Review EDR telemetry and recent user activity  

• Invalidate potentially compromised RFID cards  

• Review CCTV footage and access logs  

• Conduct sweeps for unauthorized devices  

• Rotate credentials associated with exposed workstations  

• Preserve evidence before remediation actions begin

Final Perspective

The findings from SISA's red team engagements reveal a reality that many organizations are only beginning to recognize - physical security weaknesses are increasingly being used to bypass mature cybersecurity controls.

What makes these findings particularly significant is that they reflect a broader shift in attacker behavior. As organizations strengthen identity security, endpoint protection, and network defenses, adversaries are increasingly looking for alternative routes that offer lower resistance and higher chances of success. Physical security and social engineering have become attractive options because they target trust, process, and human behavior rather than technology alone.

For security leaders, this means physical security can no longer be viewed as a separate operational function. It must be integrated into the organization's overall cybersecurity strategy, risk management framework, and security testing program. Access control systems, visitor management processes, employee awareness, physical monitoring, and incident response procedures should be evaluated with the same rigor applied to networks, applications, and cloud environments.