Physical Penetration Testing: What Testers Actually Find Inside Your Building
Physical penetration testing tests whether the physical controls protecting your systems, data, and people actually work. Locked doors and access card systems fail more often than organisations expect. This guide explains what physical penetration testing covers and what assessors consistently find.
Physical Penetration Testing: What Testers Actually Find Inside Your Building
Locked doors, access cards and visitor policies all look fine on paper. A physical pentest is the only way to find out whether they actually work.
Physical penetration testing is the only way to find out whether the physical controls protecting your systems, data and people actually work as intended. Locked doors, access card systems, visitor policies and security cameras are all designed to stop unauthorised access. A physical pentest determines whether they actually do, under realistic conditions, against a motivated tester using the same techniques a real attacker would use.
This article explains what physical penetration testing covers, what testers consistently find, how it relates to NIS2 obligations and why physical security belongs in any complete security programme alongside technical testing.
TL;DR
Physical penetration testing simulates real-world attacks against buildings, access card systems and staff to verify whether physical controls actually stop unauthorised access. Testers use tailgating, badge cloning, pretexting and mystery guest techniques. Results almost always reveal tailgating gaps, unlocked server rooms, cloneable RFID badges and reception staff accepting implausible pretexts. Physical testing pairs well with a social engineering assessment to cover both human and physical attack surfaces.
Why physical security is often the weakest link
Technical security controls have improved significantly over the past decade. Organisations invest heavily in firewalls, endpoint protection, MFA and penetration testing of their digital infrastructure. Physical security has often not received the same scrutiny.
A motivated attacker who gains physical access to a facility can bypass many technical controls entirely. Plugging a device into an internal network port behind a reception desk bypasses perimeter firewalls. Accessing an unlocked workstation bypasses authentication. Copying files from an unattended laptop bypasses encryption keys that are already loaded in memory. Stealing a printed document bypasses digital access controls entirely. This is why physical testing is often combined with internal network pentesting.
What physical penetration testing covers
Perimeter access controls
Testing covers how access to the facility is controlled at the perimeter: entrance doors, car park barriers, delivery areas, fire exits and any other physical entry points. Testers attempt to enter through both the designed access routes and alternative entry points that may have weaker controls. Common findings include tailgating opportunities at card-controlled doors, unmonitored secondary entrances and delivery areas that provide access to server rooms or wiring closets.
Access card and badge systems
Physical access card systems are assessed for clonability, proximity card vulnerability and whether revoked credentials are correctly invalidated. Many legacy RFID badge systems can be cloned with widely available equipment, often from a distance of several centimetres. The assessment also covers whether badge readers log access attempts, whether anomalous access patterns generate alerts and whether lost or stolen badges are promptly deactivated.
Social engineering and pretexting
Physical penetration testers use social engineering to gain access: impersonating contractors, delivery personnel, IT support staff or other plausible roles that would normally be allowed access. This tests whether employees follow visitor verification procedures, whether unescorted visitors are challenged and whether staff are willing to hold doors open for people who appear to belong.
Internal access controls
Once inside the building, testers assess internal access controls: server rooms, communications rooms, equipment racks, wiring closets and executive areas. Many organisations have good perimeter controls but inadequate internal controls. A tester who enters the building successfully may have unrestricted access to network infrastructure, unattended workstations and sensitive printed materials.
Clean desk and information handling
The assessment covers whether sensitive information is left accessible on desks, whether unlocked workstations are common, whether printed documents containing sensitive information are left unattended and whether screen lock policies are consistently enforced. These findings reflect both policy and culture, and they are often the fastest path to data exfiltration for an attacker already inside.
What physical pentests consistently find
Across physical penetration tests, Sectricity testers consistently find a small set of recurring weaknesses. Tailgating access at card-controlled doors, where employees hold the door for anyone who approaches with apparent confidence. Server rooms and communications rooms unlocked or protected only by a single barrier that was already bypassed at the building entrance. Legacy RFID systems that can be cloned with off-the-shelf hardware. Reception staff who accept implausible pretexts without verification. And internal network ports accessible in meeting rooms and public areas that are connected to internal infrastructure.
Physical security is often treated as a facilities management issue rather than a security issue. When security and facilities teams are not aligned, gaps appear between the physical and digital security programmes. That gap is where an intruder operates.
Physical security and NIS2
Under NIS2 Article 21, essential and important entities must implement appropriate technical, operational and organisational measures to manage cybersecurity risks. Physical security is part of that scope. An attacker who gains physical access to a server room, a workstation or an unattended laptop can cause the same impact as a successful network intrusion. Organisations under NIS2 must be able to demonstrate that their physical controls have been tested, not just that they exist on paper.
Frequently asked questions about physical penetration testing
What is physical penetration testing?
Physical penetration testing is a structured security assessment of an organisation's physical security controls. Testers attempt to gain unauthorised access to a facility, restricted areas or sensitive systems using the same techniques real attackers use: social engineering, tailgating, badge cloning, lock bypass and pretext access. The goal is to identify gaps in physical security controls before a real attacker does.
What is tailgating in physical security?
Tailgating, also called piggybacking, is the practice of following an authorised person through a controlled entrance without independently authenticating. An attacker who waits near a card-controlled door and walks through behind an employee who holds the door open is tailgating. It is one of the most common physical access vectors because it exploits social norms: employees are reluctant to challenge people who appear to belong.
What is badge cloning?
Badge cloning exploits vulnerabilities in proximity card systems used for physical access control. Many organisations still use legacy RFID cards that broadcast an unencrypted identifier which can be read and copied with widely available hardware, often from a distance of several centimetres. An attacker who clones a badge can use it to access any area the original badge was authorised for. Modern encrypted card systems are resistant to cloning, but many organisations have not upgraded their badge infrastructure.
How does physical security relate to cybersecurity?
Physical access enables many cyberattacks that would be prevented by network controls. A device plugged into an internal network port bypasses perimeter firewalls. An unlocked workstation bypasses authentication requirements. Access to a server room provides opportunities for hardware attacks, firmware implants or direct data extraction that remote attacks cannot achieve. Physical security and cybersecurity are not separate domains: physical access is often the most direct path to compromising digital assets.
What happens during a physical penetration test?
A physical penetration test is conducted under a formal agreement with the organisation, with a defined scope and clear emergency contact procedures. Testers attempt to access the facility and any defined in-scope areas using realistic attack techniques. The test is documented with evidence of successful and unsuccessful access attempts. A report is produced that describes what was accessed, how and what improvements would close the identified gaps. Testers do not damage property or harm people.
Does NIS2 require physical penetration testing?
NIS2 does not mandate physical penetration testing as a specific requirement, but Article 21 requires essential and important entities to implement appropriate risk management measures, including physical security. To demonstrate that physical controls actually work, testing is the most defensible form of evidence. Organisations under NIS2 that host sensitive infrastructure or data in their buildings should include physical security in their risk management programme and test it regularly.
Related services and resources
Sectricity delivers physical penetration testing covering facility access controls, badge systems, mystery guest scenarios and internal physical controls. Physical tests are often combined with social engineering assessments, mystery guest testing and red team exercises for a complete human, physical and technical review. For related reading, see our guides on red teaming and what is social engineering. Start with a free security scan to map your exposure.