Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

Physical Penetration Test Engagement Styles

Penetration Testing

Out of all the types of penetration testing we perform at Schellman, physical security is frequently overlooked due to the fact many compliance frameworks simply don’t mandate this type of testing.  

Of course protecting your physical infrastructure can be challenging. Many organizations struggle to identify and address vulnerabilities, leaving them vulnerable to theft, vandalism, and other threats.

The good news is, you're already taking the right steps! By reading this, you're demonstrating a commitment to physical security.

Let us help you turn that commitment into concrete results. We'll uncover weaknesses and provide actionable recommendations to enhance your overall security posture.

Before beginning any assessment, we work closely with you to select the most appropriate engagement style - a decision that fundamentally shapes the scope, methodology, and outcomes of the testing process. 

 

Understanding Engagement Styles 

When it comes to a physical penetration test, we find that there are typically three basic engagement styles, each offering unique benefits and considerations that you should be aware of. Of course, they can (and should) be customized to fit your needs and even blended together with other penetration testing services such as an internal network penetration test. All of these engagement styles have the same thing in common: we are trying to accomplish whatever goal(s) you’ve set for this engagement. 

 

1. Covert Entry

Typical time requirement: 4-5 Days -- Price: starting at $32,000 including travel

A covert entry assessment provides the most realistic simulation of actual security threats. Our testing team would only be provided the address of the location(s) in scope. No prior background knowledge would be provided.  

This style typically has a longer reconnaissance phase, as all information needs to be gathered manually. Entry into the building is done in a manner to avoid detection and reach the agreed upon goal. 

It is common for this to occur off hours or late in the evening. Social engineering can be performed, but typically it is avoided until other options are exhausted later in the engagement timeline. You can gain invaluable insights into your security awareness and emergency response procedures through this approach. You should also be prepared for additional legal documentation and carefully consider the potential for security response escalation. 

Covert Entry: real-world example 

During a covert entry assessment, our team discovered and exploited a critical vulnerability in the access control system configuration when attempting to enter the building after hours. A door on a fenced in patio had been scheduled to remain open, even when the building was unoccupied at night. We discovered this after jumping a fence and using the door to gain access to the facility. Had this been a walkthrough engagement, this finding could have easily been missed, as the door would have only been examined during normal business hours.

 

2. Informed Entry

Typical time requirement: 3-4 Days -- Price: starting at $26,000 including travel

This style of engagement involves strategic information sharing between our team and you, the client. When choosing this style of assessment,  you will provide background knowledge about the testing locations, with the scope of shared information determined by your specific testing objectives. This approach allows for focused testing while maintaining elements of uncertainty that mirror real-world scenarios. 

The informed entry approach offers an optimal balance between testing realism and operational efficiency.  

For example, you can strategically guide the assessment toward specific security concerns by sharing relevant information such as building layouts or access control systems, while withholding details about security procedures or patrol schedules.

This targeted approach reduces unnecessary reconnaissance time while ensuring that we can thoroughly evaluate the most important security elements. Success depends largely on the strategic selection of shared information to maintain test validity while meeting specific security evaluation needs.

Informed Entry: real-world example 

During an Informed Entry style of engagement, a client had an office location within a large office building shared with other tenants. Information about the building such as: what floor the client was on, what time staff began arriving and leaving, and basic security controllers were shared with our testing team. This allowed the team to skip all testing of the main building and focus on the client directly. Armed with the provided information, our testing team was able to slip into the client’s office after-hours by asking the cleaning crew to let them in. 

 

3. Walkthrough

Typical time requirement: 1-2 Days -- Price: starting at $19,500 including travel

A walkthrough represents the most collaborative approach to physical security testing. During these this style of engagements, a member of our team works directly with your security or facilities personnel to examine controls and gather information in a structured manner. This hands-on evaluation allows for immediate feedback and detailed examination of security measures. 

This approach proves particularly valuable for organizations seeking a thorough examination of their security controls or those wanting to educate their security team through direct interaction with security professionals.  

We will execute various attack techniques and highlight control weaknesses, allowing you to understand what vulnerabilities exist, why they pose risks, and how they can be exploited. 

While walkthroughs don't simulate real-world attacks, they offer unique benefits through their educational and collaborative nature. This approach also proves highly efficient for examining specific security concerns or testing particular control mechanisms, as we can move directly to areas of interest without spending time on reconnaissance or bypass attempts. 

 Walkthrough: real-world example 

During a walkthrough, the client had concerns about how a breach of the local data center could occur. A member of the customer’s security team escorted the testing team on-site and shared background knowledge and asked questions. When tools were deployed to bypass the doors in the datacenter, the security team was shown firsthand how the tools worked and the perspective from both sides of the door. This allowed the security team to apply the knowledge learned to other doors in their facilities.  

 

Which Style is Best for You?

When choosing between Covert Entry, Informed Entry, and Walkthrough assessments, several factors should guide your decision. There is not a one size fits all or a wrong engagement type, it just depends on what your goals for the physical penetration test are. For example:

  • Covert Entry represents the most comprehensive and realistic evaluation of your security posture. By simulating real-world threat actors, this style provides unparalleled insights into how your security controls perform against actual adversaries.  
    • Covert Entry tests your people and procedures. Would your employees challenge a stranger in the office? 
  • Informed Entry proves valuable when specific security concerns need focused attention, such as testing new access controls or investigating particular areas of your facility.  
    • Informed Entry can help reduce engagement costs, as less time needs to be spent by our team gathering information 
    • Serious thought should go into the information to be shared 
  • Walkthroughs can provide initial insights and educational opportunities; they should primarily serve as a steppingstone toward more comprehensive testing styles. 
    • This is a great way to show your employees how and why vulnerabilities exist 
    • Walkthroughs do not simulate real-world attacks 

Before beginning any engagement, ensure you have established: 

  1. Clear authorization and scope documentation 
  2. Emergency contact procedures and escalation protocols 
  3. Defined communication channels and stakeholder notifications 

Remember that truly understanding your security posture (be it physical, application, or network) requires testing under realistic conditions. While Informed Entry and Walkthroughs serve specific purposes, the traditional Covert Entry assessment provides the clearest picture of your organization's resilience against real-world threats. The insights gained from physical penetration tests can be a pathway toward enhancing your physical security measures and better protecting your business. 

Ready to speak with us about your physical penetration testing goals? Visit our short scoping questionnaire and we’ll be in touch within 24 hours.   

Or maybe you still want to learn more before having a call. We have you covered, read over our physical pen testing overview blog post that touches on 90% of the common questions we recieve. 

About Tyler Petersen

Tyler Petersen is a Penetration Tester with Schellman Compliance, LLC based in Madison, Wisconsin. Prior to joining Schellman in 2022, Tyler worked as a Penetration Tester for a financial institution, specializing in external and internal network penetration testing. Tyler also supported various other areas of information security. Including vulnerability scanning, incident response, and security operations. Tyler has a wide variety of certifications and currently holds his Certified Ethical Hacker (CEH), Offensive Security Certified Professional (OSCP), GIAC Exploit Researcher and Advanced Penetration Tester (GXPN), the Certified Red Team Operator (CRTO) and the Certified Information Systems Security Professional (CISSP). In his free time, Tyler is always learning more by doing CTFs and other events.