Physical Penetration Testing
An attacker does not need to bypass your firewall if they can follow a staff member through the door. We attempt to breach your facilities using the same techniques as real intruders, and show you exactly what they would find inside.
The Physical Security Risk Gap
Most organisations have never independently verified their physical security controls. An untested access control is a liability you own personally, and the only way to quantify that risk is to test it under controlled conditions.
Tailgating Success Rate
Of physical penetration testing attempts via tailgating succeed on first approach. Most organisations have never independently verified this figure.
Server Room Access Achieved
Of Precursor physical assessments result in access to a server room, network cabinet, or domain-connected device within the agreed engagement window.
Single-Site Assessment
Fixed-price physical penetration test including on-site assessment, photo evidence pack, written report, compliance mapping, and debrief call.
Controls
Prove Your Controls Work, Not Just That They Exist
A physical security audit checks your documentation. A physical penetration test checks your doors. Auditors increasingly require evidence of active control testing, not just policy compliance.
Paper-Based Review
Adversarial Simulation
Physical Security Testing Methodology:
From the Perimeter to the Server Room
Delivered by CREST-accredited consultants who also conduct internal network penetration testing. We know what an attacker does after they get through the door, because we test that too.
Access Control Bypass
Testing the effectiveness of your turnstiles, maglocks, and pass-back sensors. We use HID iCLASS-compatible readers and Proxmark-based RFID cloning to duplicate active access badges from up to 30cm, and test REX sensor exploitation to defeat tailgating prevention systems.
Social Engineering & Pretexting
Using convincing cover stories to gain access without proper authorisation. Pretexts are scenario-specific and agreed during scoping: common scenarios include facilities contractor, fire safety inspector, IT support attending a helpdesk ticket, and vendor delivery.
Network Jack Exploitation
Once inside, we identify 802.1X bypass opportunities and assess whether VLAN hopping is possible from guest or meeting room ports, testing the boundary between physical presence and full internal network access.
Lock Picking & Physical Bypass
Non-destructive testing of physical locks, latches, and padlocks. Techniques include single-pin picking, bump keys, shimming, and latch bypass (loiding). Server rack padlocks, fire door crash bars, and restricted access stairwells are all in scope if agreed.
Clean Desk Audits
We photograph and document any unattended credentials, sensitive documents, or unlocked screens, producing an evidence pack suitable for a disciplinary or policy review process, and formatted for auditor submission under ISO 27001 Annex A.11 controls.
Surveillance & Alarm Evasion
Mapping CCTV blind spots, PIR sensor coverage gaps, and alarm response times. We test whether your electronic security systems detect and respond to physical intrusion attempts, documenting the gap between assumed coverage and actual detection capability.
Physical Penetration Testing for Compliance
Physical security controls are required by every major security framework. Our assessment provides documented evidence for auditors, formatted as a compliance mapping table aligned to each standard.
ISO 27001
Physical and Environmental Security: independent verification of physical access controls required for certification
PCI DSS
Restrict Physical Access to Cardholder Data: physical penetration testing validates controls over data environments
DORA
ICT physical resilience for financial entities: operational resilience requires verified physical access controls
Cyber Essentials+
Physical access control verification is assessed as part of the Cyber Essentials Plus on-site audit process
SOC 2 Type II
Service organisations must evidence that physical access is restricted, monitored, and independently tested
Cyber Insurance
Many UK insurers now require evidence of physical security testing as part of their underwriting criteria
Globally Accredited Consultants
All physical penetration tests are delivered by CREST-accredited consultants.
Physical Penetration Testing Process
A structured four-stage operation, from initial reconnaissance to final debrief and remediation guidance.
Reconnaissance
We observe your facility from the outside to identify staff patterns, smoking areas, delivery schedules, and weak points in the perimeter. OSINT and physical site observation are combined to map entry vectors.
On-Site Entry Attempts
Our consultants attempt to gain entry during business hours (blending in with staff) or after hours (testing alarm response), depending on the agreed Rules of Engagement. Every access attempt is documented.
Objective Testing
Once inside, we attempt to achieve the agreed objectives: accessing the server room, planting a rogue device, photographing confidential material, or identifying exposed network ports.
Debrief & Reporting
A complete timeline of how access was gained, which controls failed, and a photo evidence pack with timestamps and annotations. Every finding mapped to compliance controls.
Physical Access to Domain Compromise
A physical penetration test does not end at the door. We test the full escalation path: from building entry through network access to digital compromise. Domain administrator access is regularly achieved within four hours of building entry.
Building Entry
Tailgating through a staffed entrance, badge cloning via Proxmark RFID reader, or social engineering pretext gains physical access to the facility.
Network Access
An exposed network port in a meeting room gives an intruder full internal network access. 802.1X bypass or a rogue device planted on the network.
Digital Compromise
From internal network access to Domain Admin within hours. Every firewall and endpoint control is bypassed entirely by physical presence on the LAN.
What You Receive
Every physical penetration test includes the following deliverables, formatted for both technical teams and non-technical board-level stakeholders.
Reports delivered within five working days via encrypted portal. Available in PDF format, suitable for direct submission to ISO 27001 auditors, PCI QSAs, and board stakeholders.
Close the Loop.
Physical to Digital.
Physical penetration testing proves the entry point. Pair it with internal network testing, red team operations, and 24/7 MDR monitoring to test and defend the full attack chain from perimeter to domain admin.
Social Engineering ServicesInternal Network Testing
What happens when an attacker already has internal network access.
Managed Detection & Response
Detecting rogue devices and insider threat behaviour in real time.
Red Team Operations
Full-scope adversarial simulation combining physical, digital, and social attack chains.
Phishing Simulation
Test the human layer remotely with managed phishing simulation campaigns.
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
The best time to test your defences is now.
Join the high-growth companies relying on Precursor for continuous offensive and defensive security.
Frequently Asked Questions
Common questions about this service, methodologies, and deliverables.
Physical penetration testing is the active assessment of physical security controls. Instead of hacking a firewall, our consultants physically attempt to bypass doors, guards, and locks to enter your building and access sensitive areas such as server rooms or executive offices. Unlike a physical security audit, which reviews documentation, a physical penetration test actively proves whether your controls work in practice.
Safety is our priority. We use non-destructive entry methods throughout. We do not break windows or force doors. We operate under strict Rules of Engagement and consultants carry authorisation letters signed by your leadership throughout the engagement.
Getting caught is a successful test result. It means your staff or security team are vigilant. If challenged, our consultants present their authorisation letter and contact your designated point of contact to verify the exercise. All incidents are logged and included in the final report.
Yes. We can simulate after-hours intrusion to test intruder alarms, response times, and overnight physical controls, or conduct daytime assessments to test staff vigilance against tailgaters and social engineering pretexts. Scope is agreed during the scoping call.
Digital security controls are bypassed entirely once an attacker gains physical access to your building. An exposed network port in a meeting room gives an intruder full internal network access within minutes, regardless of your firewall or endpoint security spend. Physical penetration testing in the UK is increasingly required for ISO 27001 certification and PCI DSS compliance.
Yes. We conduct multi-site physical penetration testing programmes for retail chains, banks, and logistics companies to benchmark physical security across branches and regional offices. Multi-site engagements are scoped individually with fixed pricing per site.
Physical penetration testing starts from £5,000 for a single-site assessment. The fixed price includes on-site assessment time, a written findings report with photo evidence pack, compliance mapping, and a debrief call. Multi-site programmes and engagements with extended out-of-hours testing are scoped individually. Contact us for a fixed-price quote scoped to your specific sites and objectives.
Yes. ISO 27001 Annex A.11 (Physical and Environmental Security) requires that physical security controls are implemented and independently verified. Our physical penetration testing provides documented evidence of control testing suitable for ISO 27001 auditors, including findings mapped to specific Annex A.11 controls, severity ratings, and remediation recommendations. We also provide compliance mapping for PCI DSS Requirement 9 (physical access to cardholder data environments).
A physical security audit reviews your policies, procedures, and controls documentation against a standard: it is a paper-based review. A physical penetration test actively attempts to bypass those controls in practice: it is an adversarial simulation. Audits tell you what controls you have written down; penetration testing tells you whether those controls actually work. For ISO 27001 certification, auditors increasingly require evidence of active control testing, not just policy documentation.
Our physical penetration testing methodology follows a structured four-stage approach: reconnaissance (OSINT and physical observation of the site), entry attempts (tailgating, badge cloning via Proxmark-based RFID readers, social engineering pretexts, lock bypass including single-pin picking, bump keys, and latch bypass), objective testing (server room access, rogue device placement, clean desk audit, network jack identification and 802.1X bypass assessment), and debrief (full timeline report with photo evidence and remediation guidance). All engagements operate under agreed Rules of Engagement and consultants carry authorisation letters throughout.