What red-team engagements reveal about physical security layering.
Across forty engagements, perimeter rarely fails first. Tailgating, social engineering, and organisational drift defeat defences more often than any clever attack.
Over five years of physical penetration engagements across European enterprise sites — data centres, corporate HQs, research facilities, one discrete pharmaceutical site — we've built up a catalogue of what actually fails on the day versus what was bought to prevent it. Some patterns are surprising. Most are not.
This note is about the patterns.
Every engagement described here was conducted under written authorisation from the client. No details are specific enough to identify any client or site. If you're considering an engagement, the rules of engagement document is more important than anything on this page.
The first pattern: perimeter is almost never the weakest link
Clients often focus their physical security budget on the perimeter — fencing, gatehouses, card readers at the main entrance, visitor management at reception. Fair instinct. The perimeter is the obvious boundary.
In practice, of the ~40 engagements we've completed, fewer than 10% were defeated by bypassing the primary perimeter. The remaining 90% were defeated by:
- Tailgating (36%) — following an authorised person through a door they hold open
- Secondary entrances (24%) — loading docks, smoking areas, contractor entrances with weaker controls
- Social engineering at reception (17%) — forged letterhead, invented meeting, reception staff under pressure to be helpful
- Badge cloning (8%) — against sites using weak proximity card systems (125 kHz, no cryptography)
- Cleaning/maintenance impersonation (6%) — after-hours entry with high-visibility clothing
- Genuinely clever perimeter bypass (9%) — the one we all tell stories about
The second pattern: defence in depth works, but only if each layer is real
A site with three security layers — perimeter, building access, sensitive area access — defends significantly better than a site with one layer. But "defence in depth" fails if any layer is performative. Common cases where inner layers fail:
- The "always propped open" door. An access-controlled door that is propped open during working hours for convenience. The control exists on paper only.
- The unmonitored alarm. An intrusion sensor that fires, is silenced by staff without investigation (because it fires too often), and no longer triggers any response.
- The shared credential. A sensitive room with card access where the card is physically left in the reader because rotating staff need it.
We've defeated more inner layers through this kind of organisational erosion than through any technical attack.
The third pattern: cameras don't do what clients think they do
Clients frequently assume cameras are a deterrent. In practice, cameras are almost exclusively a forensic tool — they answer the question "what happened?" after the fact. They do not answer "is something happening now?" unless someone is watching them actively, which, in our experience, almost no one is.
This isn't a criticism of cameras. They're cheap, they're compliant, they help investigations. But "we have cameras" is not a control. "We have cameras monitored in real-time by a 24/7 SOC with documented escalation procedures" is a control. Most sites have the former.
What actually defends well
Sites that have given us the hardest time share features:
- A human gatekeeper with good judgement. A trained reception staff member who will call to verify an unexpected visitor, ignores pressure to be helpful, and escalates unusual patterns. One person doing this well defeats more attacks than any technology we've seen.
- Strong access control with cryptographic cards. HID iCLASS SE, MIFARE DESFire EV2, or similar. Not 125 kHz proximity (trivial to clone with equipment that costs €30).
- Mantraps at sensitive transitions. Two doors, interlocked, one open at a time, with anti-tailgating sensors. Boring to walk through every day; genuinely hard to defeat.
- Mandatory escort policies that are actually enforced. Visitors escorted at all times, contractor access scoped by time and location, random audit of adherence.
- Adversarial testing on a schedule. The clients who hire us annually find and close gaps that clients who hire us once never discover.
What to do with all this
If you own the physical security posture of a site, three questions to ask before spending more on systems:
- If someone tailgated through the main entrance right now, how far could they get before anyone noticed?
- How many of your access-controlled doors are currently propped open?
- When did someone last audit your contractor badge population for staff who no longer work for the contractor?
If those questions don't have quick confident answers, additional cameras will not fix the problem. People, procedures, and periodic adversarial testing will.
One note on engaging with us
If you're considering a red-team engagement and this note is your first exposure to the concept: start with a scoped physical penetration test before considering broader engagements. Six hours on site, a defined set of objectives, a detailed report. It's the cheapest way to find out whether your security posture is where you think it is.
Scoping discussions via info@oxenex.eu. Be prepared to provide written authorisation from the asset owner before any work begins.