Security Testing

Physical Intrusion

Consultants with convincing pretexts and written authorisation test whether your premises, procedures and people would stop a real intruder.

Badge readers, visitor books and CCTV all look reassuring — until someone in a hi-vis vest carrying a ladder walks straight past them. A physical security assessment tests whether your access controls, visitor procedures and staff behaviours would actually stop an unauthorised person reaching your premises, restricted areas and assets.

Our consultants attempt entry using realistic pretexts: contractors, delivery drivers, IT engineers, visitors with a plausible story. Each attempt tests specific controls — reception and visitor management, access cards and door security, tailgating opportunities, and whether staff challenge an unfamiliar face. Optional extensions assess clean desk compliance, secure disposal, screen visibility and unattended workstations once inside.

What a physical security assessment tells you

The report shows the outcome of every scenario: which control held, which failed, and precisely where the intrusion path ran — supported by photography where safe and agreed. That per-scenario clarity is what makes the findings actionable: you learn not just that someone got in, but which specific door, procedure or behaviour let them, with practical recommendations for each.

Every engagement is strictly controlled. Scenarios, boundaries and rules of engagement are agreed and the Statement of Work signed before any attempt is made; consultants carry authorisation letters at all times; and there is never damage, force or distress — if a control genuinely holds, that is a finding worth celebrating, not something we bypass destructively. Scheduling is flexible too, covering office hours, shift changes or out-of-hours windows depending on what you want tested.

Results are documented in real time and delivered through Sentry with a full report, executive summary and debrief. The evidence supports the physical security requirements of ISO 27001 and PCI DSS, pairs naturally with phishing, smishing and vishing assessments for a complete picture of your human attack surface, and can feed objectives-based red team exercises for organisations that want to go further.

What you get

Realistic intrusion scenarios

Contractor, delivery, IT engineer and visitor pretexts test the controls a real intruder would face.

Per-scenario findings

Know exactly which control held, which failed and where the intrusion path ran — with photographic evidence where agreed.

Staff behaviour measured

Challenge rates and escalation behaviour show whether your security culture works at the front door.

Strictly safe and authorised

Written authorisation, consultants carrying letters, and never any damage, force or distress.

Compliance evidence

Findings support the physical security controls in ISO 27001 and PCI DSS.

How it works

  1. 01

    Scoping and design

    A questionnaire and scoping call establish your objectives, then we design realistic scenarios tailored to your sector, brand and threat landscape. Rules of engagement are agreed and the Statement of Work is signed before any activity begins. Typically one to two weeks.

  2. 02

    Assessment execution

    Campaigns, calls or on-site attempts run within the agreed window, with every interaction documented in real time so nothing rests on anecdote.

  3. 03

    Reporting and debrief

    We analyse the results and deliver a report and executive summary through Sentry, followed by a debrief session. For recurring programmes, each round is benchmarked against your baseline so you can evidence improvement.

Frequently asked questions

Straight answers to what prospective clients ask us most.

Is physical intrusion testing legal?

Yes — with your written authorisation, which we require before any activity. Scenarios and boundaries are agreed in the signed Statement of Work, and consultants carry authorisation letters throughout so any attempt can be verified on the spot.

What happens if a consultant is challenged?

That is a success, and it is recorded as one. The consultant can maintain the pretext within agreed limits or present their authorisation letter — either way, the challenge, and how it was handled, becomes evidence of a control that works.

Will you force locks or damage anything?

Never. Assessments rely on pretexts, tailgating and procedural gaps — the techniques real intruders prefer — and cause no damage, force or distress. If a physical control holds, the report says so.

What does the report include?

Every scenario attempted, its outcome, which controls held or failed, supporting photography where safe and agreed, and practical recommendations. It is delivered through Sentry with an executive summary and a debrief session.

Ready to talk about physical intrusion?

Get a fixed-scope quote, usually the same working day.