Disclaimer: This post is for educational purposes only. Don't use this information or these resources for illegal or unethical purposes.
- PhySec Red Teaming Overview
- Red Team Companies & Vendors
- Red Team Resources
- Physical Security Red Team Job Descriptions
- Red Team Articles
- Red Team Talks & Media
Technology companies, banks, government agencies, energy companies, consultants, and many companies that protect critical assets, work in high-risk environments, or simply want to have industry leading security all conduct physec red teaming.
If you have high-value assets, serious threats to your organization, or have discovered significant vulnerabilities the hard way - red teaming is for you. Red teaming should enable the business to carry out its mission with greater confidence, less surprises, and no interruptions.. A good red team assessment will provide the business with key information relating to:
- Tactics: The most likely tactics a threat actor (bad person/group) will use against your organization. This makes it much easier to focus resources and defend against those tactics.
- Undiscovered Vulnerabilities: Uncover major undiscovered vulnerabilities. Red teams will often say "better us than them" - meaning it's better that an internal team uncover an organization's weaknesses than someone with bad intentions.
- Address our Hubris: As security and risk management professionals, we think we know how to best protect our business, people, assets, and reputation. With stakes this high, we must be willing to test ourselves against real-world situations to see if our security measures hold up. Professional sports teams never go from practice straight to head-to-head games with their opponents. They have scrimmage, drills, pre-season, and other low-risk tests of their effectiveness. Likewise, a red team is your scrimmage partner.
- Better Budgeting: Red teams challenge security assumptions and determine whether the money you spend on security, compliance, and risk management are truly keeping your business safer. There are many ways to allocate budget that we assume result in risk reduction. A red team determines whether these measures truly reduce risk, giving you confidence and providing the data to be most efficient with our
- Protect your Assets: Protect your most important assets. Efficient red teams target your company's most important assets. Outside of being targeted by real-world adversaries, there is no better way to understand how well you are protecting your assets than a red team conducting an assessment on your most company assets. These assets can be anything from employees, knowledge, intellectual property, servers, crypto assets, passwords, company bank accounts, financial assets, equipment, and much more.
- Protect your Business: An assumption built on an assumption which is built on another assumptions is a house of cards ready to collapse when one foundational assumption turns out to be false. Red teams are assumption assassins. They systematically identify corporate, security, and risk management assumptions and test to see if they are true (therefor, no longer assumptions), or false - in which case leadership then has the clarity and information they need to make more informed decisions. All of this enables the business to operate uninterrupted, minimizing surprises, and strengthening both resilience and confidence.
Companies will often have cybersecurity red team, occasionally hardware red teams and AI red teams - but only a select few organizations employ internal physical security red teams. These organizations protect some of the world's most valuable assets, and have a very low appetite for loss. Technology companies such as Google and Facebook (Meta) have posted jobs indicating they have full internal red teams, while financial institutions such as UBS, Bank of America, Capitol One, and other large banks that hold a significant portion of the world's financial assets have teams of various types to test their security. As adversaries are running into increasing roadblacks and digital security, many are looking to physical attacks to gain information or access to internal networks.
The global Physical Security market in 2022 was estimated to exceed $127 billion, with an expected increase up to $215 billion by 2030. How do we know that these billions are keeping businesses and populations safer? With real-world incidents and red team assessments. Waiting for a real incident to occur can have costly and sometimes catastrophic consequences. On the other hand, a red team assessment comes as close to a real-world incident without introducing the risk to people, assets, and businesses that come with an adversary's attack. In an environment where adversaries have to be right once to succeed, and businesses have to get it right 100% of time - physical security red teams work to ensure that your business succeeds and your adversaries fail.
To date, there is no extensive, free, or open source information repository to support businesses who want to:
- Build an internal red team (there are many times - see Types of Red Teams)
- Hire external consultants to test their security measures
- Improve their physical red team
- Expand their red team scope to include physical assessments
- Enable security teams to test themselves
Over the past two decades, I have built the first internal red team at a FAANG company, consulted with many business who are building red teams, conducted red team assessments across the globe, taught (and continue to teach) red teaming to graduate students, helped law enforcement incorporate red teaming ideologies into training, and collaborated with hundreds of red teams from government entities, multinational corporations, and consultancies. There are ample and ever-expanding resources and cybersecurity red teams, but severely limited resources available for physical security red teams. The objective of this page is to provide and share resources, leading practices, strategies, frameworks, and knowledge with the physical security red teaming community.
Over the last several years several companies have posted dedicated physical security red team positions - these are considered In-House Red Teams. Below are the ones I was able to capture and download
| Company Name | Title (and link to Job Description) | Date Posted |
|---|---|---|
| UBS | Physical Red Team Tester | 2023 - January |
| UBS | Cyber Security Specialist Physical Testing Team Lead | 2023 - January |
| Milestone Technologies (subcontractor for tech. companies) | Global Security Red Team Specialist | 2022 - January |
| Facebook (Meta) | Global Security Red Team Manager | 2019 - June |
| Amazon | Principal, Red Team, Physical Security Penetration Testing | 2022 - August |
| Global Physical Security Auditing and Assessment Lead | 2021 - October | |
| TikTok | Red Team Operator, Offensive Security Operations | 2023 - September |
| Resources | Website | Description |
|---|---|---|
| Red Team Tools | https://www.redteamtools.com/ | Best place to buy high-quality red team tools |
| U.S. Army Red Team Handbook | https://drive.google.com/file/d/1cy6wi9s_SuyD9G4Qh8c5gRoBCEX5rDdn/view?usp=sharing | Decision-support focused red teaming PDF put out by the (former) United States Foreign Military and Cultural Studies (UFMCS) Group. No one is better at critical thinking focused red teaming than this group, and this is their latest (and last) publication. |
| Hak5 | https://shop.hak5.org/ | Tech. for red teamers |
| Toool | https://www.toool.us/ | Largest (and best) lock picking group. Join their community! |
| Probinsky's Covert Entry Toolkit | https://github.com/DavidProbinsky/RedTeam-Physical-Tools | Lists and descriptions of covert entry toolkits |
| Sparrows Lock Picks | https://www.sparrowslockpicks.com/ | Lock picks and tools of the trade |
| Red Team Alliance | https://www.redteamalliance.com/ | Red Team & Covert Entry Training |
| Company | Strengths | In Their Own Words |
|---|---|---|
| Pine Risk Management | By far the best physical red team vendor available. Also - my own business - just to ensure full transparency. Strengths include high-quality work with budget-friendly pricing, along with the ability to bring red team professionals with a wide array of talents to bear depending on your needs. We are also heavily safety-focused, so if you are operating in a risk averse or highly sensitive environment, we will work upfront on multiple levels of safeguards to ensure we safely and effectively test your systems without introducing any undue risk. | Pine Risk Management (PRM) conducts physical security assessments ranging from low-level assurance testing (e.g. can you trick our guards into plugging in a USB or letting us inside the building) to full-scale assessments where we emulate complex nation-state adversaries, using the tactics, techniques, and procedures (TTPs) that your most persistent and dangerous adversaries will use. We have experience assessing government and military sites, schools, data centers, education facilities (K-12 and higher education campuses), corporate offices, fortune 500 companies, aviation sites, oil & gas corporations (offices, infrastructure, and plants), along with many critical infrastructure sectors, and much more. Each assessment is tailored to fit your needs, and our unique risk-based reporting ensures that you can effectively prioritize the most significant risks, while enabling you to easily accept or transfer risks that are within your organization’s risk appetite. Clients receive written reports, a risk register to track findings and fixes over time, along with USBs (or cloud-based sharing) of images, video, audio, and other media that can be used to show the story of how important security is, the consequences of insufficient security and fudning, along with providing the details to inform remediation efforts and support security awareness training across the company. |
| The CORE Group | Red Teaming, Access Control Testing, Technical Exploitation, Creative/New/Emerging Exploits. Seeks to understand your business and address the most likely threats, impactful scenarios, and valuable assets to your company. Detailed reports may include photos/video. Often recommends specific products to ameliorate risks. | Blended attacks coupling surreptitious penetration with information procurement for a full picture of your security posture. |
| Rozin Security | Red Team Assessments, Deep-Cover Social Engineer, International Red Team Assessments | Rozin Security offers next level premium Red Team assessment services. We leverage years of experience our Red Team operators gained in intelligence agencies, military special operations units, and undercover law enforcement operations. That allows us to provide your organization with a quality assessment performed accurately from the adversary’s standpoint, uncovering relevant threat actors’ objectives and operational capability. We simulate relevant threat actors ranging from corporate espionage to low-level criminals, from terrorists and hacktivists to foreign governments. Red Team assessments exploit and identify vulnerabilities in operational, physical, and technological domains within your operations. The Red Team assessment drives proactive change of security operations and creates a partnership between various departments and the Red Team to identify exploitable vulnerabilities to reduce the likelihood of catastrophic security incidents. |
| CovertAccess Team | Cyber-Physical Security Assessments | Covert Access Team also specializes in physical penetration testing, an often overlooked, yet critical component of comprehensive security. We evaluate the strength of your physical security measures by simulating attempts to gain unauthorized access to your premises. Our skilled operatives analyze potential weaknesses in perimeter security, access controls, surveillance systems, and more. With a focus on integrating physical security with cyber resilience, we enable your organization to withstand a full spectrum of threats. |
| RedTeam Security (Now Deap Seas) | Cyber-enabled physical and physical-enabled cyber attacks. Great details (example report) provided up front to clients. | RedTeam Security's physical pen testing solution uncovers real-world vulnerabilities in the physical barriers and the systems that support them, meant to protect employees, sensitive information, and expensive hardware. Physical pen test specialists create simulated attacks that mimic criminals' actions to gain unauthorized access to sensitive equipment, data centers, or sensitive information. Some tested barriers might include doors and locks, fences, intrusion alarms, or even security guards and other employees. A RedTeam ethical hacker may leverage social engineering techniques to convince well-intentioned employees to provide building access that they should not have. They might even gain access to a meeting room and pick up credentials, access badges, or information left unattended. RedTeam Security teams know precisely how criminals might access computer systems and buildings. A security consultant may rely upon any or all these methods to gain access to the specified locations during a physical penetration test and identify damage that could be done once that access is gained. |
| Chameleon Associates | Though I have not personally worked with Chameleon Associates, I have heard they have a wide network of talent across the US and some of Europe. I have also heard their skillsets are focused on covert entry and social engineering. | The Only Way To Measure Return On Investment In Security Is Through Red Teaming! The cost of being unprepared can prove alarmingly high! To insure that your facilities are well-protected and secure, it is essential to test your procedures, personnel and security framework. Chameleon assembles an impartial and objective team to access your vulnerabilities through the eyes of your adversary. |
| Lares | One of the largest and oldest companies doing physical red team assessments. | "A real-world test of your facility’s ability to protect will provide a full picture of where defense and detection experience success or failure. As cyber-physical systems converge, the opportunity for attack grows and the number of potential blind spots increase. This interactive style of testing will stress test the capabilities of the most modern system and provide feedback you need to secure your most valuable assets. The process begins with a characterization of the facility including identification of critical assets. Guidance for defining a design basis threat is included, as well as for using the definition of the threat to estimate the likelihood of adversary attack at a specific facility. Once that’s determined, Lares® shows you an attacker’s ability to carry out physical attacks on your facility." |
| [Coalfire](https://coalfire.com/services/security | An OG of the physical red team space that has expanded their business significantly towards cybersecurity and compliance. | Generally known in the industry to do physical red team assessments, however they have limited information available on their site about their current scope of work in this area. |
Don't see your company on this list? Send me your name, website, and a description of your physical security red teaming work in your own words. Shawn[at]PineRisk.com
A selection of the best articles (and select quotes) on the wide array and significant impact of red teaming across industries:
-
Bloomberg Government: How Red Teaming helps government contractors win major contracts
- "By harnessing the full potential of those guides—the red team—contractors can increase their chances of winning bids, fortify their projects against potential threats, and gauge their competitors’ strengths."
- "A red team is a coordinated group of experts assembled from outside the proposal team, or even outside the affected business unit. Its task is to critically evaluate, provide a fresh perspective on, and reveal hidden vulnerabilities in a proposal. A red team offers an independent and impartial scrutiny of the proposal from multiple angles."
- "Commit to a building a red team composed of diverse experts from various disciplines."
- "It is easy to fall into the trap of seeking validation rather than criticism. However, a red team’s value lies in its ability to pinpoint weaknesses that internal stakeholders might overlook due to their familiarity with the project."
- "Integrating the red team’s insights into a comprehensive risk management plan fosters a culture of continuous improvement"
-
Twitter's Use of Red Teams for New Products
- "Researchers conducted a “red team” exercise, bringing together employees across the company to explore how the tool could be misused."
- "The team assigned to the project [Spaces] worked overtime trying to get the feature out the door and didn’t schedule a red team exercise until August 10th — three months after launch."
- "Spaces went live without a comprehensive assessment of the key risks, and white nationalists and terrorists flooded the platform"
- "Earlier this year, Twitter walked back plans to monetize adult content after a red team found that the platform had failed to adequately address child sexual exploitation material."
-
How Twitter's Childporn problem ruined its OnlyFans competition plans
- "Before the final go-ahead to launch, though, Twitter convened 84 employees to form what it called a “Red Team.” The goal was “to pressure-test the decision to allow adult creators to monetize on the platform"
- "What the Red Team discovered derailed the project: Twitter could not safely allow adult creators to sell subscriptions because the company was not — and still is not — effectively policing harmful sexual content on the platform."
- "Taking the Red Team report seriously, leadership decided it would not launch Adult Content Monetization until Twitter put more health and safety measures in place."
- "The Red Team report “was part of a discussion, which ultimately led us to pause the workstream for the right reasons,” said Twitter spokeswoman Katie Rosborough."
- "Given the size of the opportunity, the Red Team wrote, “ACM can help fund infrastructure engineering improvements to the rest of the platform.” "
-
ISACA: Physical Penetration Testing: The Most Overlooked Aspect of Security
- Pro-Vigil’s annual research survey reveals that 28 percent of respondents saw an increase in physical security incidents in both 2021 and 2022
- By understanding the methods that adversaries might employ to gain unauthorized access, organizations can take proactive steps to mitigate such risk.
- It helps identify vulnerabilities in physical security measures, assesses the effectiveness of security protocols and enhances the safety of personnel. Moreover, it plays a crucial role in safeguarding sensitive data and valuable assets, ensuring compliance with industry regulations and mitigating risk associated with physical security breaches.
| Talk Name | Delivered To | Media Medium | Speaker | Link |
|---|---|---|---|---|
| You’re Probably Not Red Teaming... And Usually I’m Not, Either | SANS ICS 2018 | Video | Deviant Ollam | YouTube |
| An Introduction to Physical Red Teaming | The Security Student Podcast | Podcast | Shawn | Spotify, Show Notes |
| Challenging Assumptions at the Intersection of Cyber and Physical Security | Unspoken Security Podcast | Video & Podcast | Ana & Shawn | YouTube Part 1, YouTube Part 2, Spotify Part 1, Spotify Part 2 |
| Blending Awareness, Social Engineering, and Physical Penetration Testing | 8th Layer Insights | Podcast | Jayson E. Street | Spotify |
