Physical Penetration Testing of a Multinational Headquarters
Physical security remains the first line of defence for any organisation. While cybersecurity investment continues to grow, physical access to facilities can render even the most advanced digital defences obsolete. From cloned access cards to visitor badge abuse, adversaries have an expanding toolkit for gaining entry to sensitive spaces.
Our client — a multinational corporation headquartered in Manchester— sought assurance that their physical security measures were effective against real-world adversarial techniques. They engaged us to conduct a controlled physical penetration test of their flagship office building.
Over the course of a carefully scoped engagement, our red-team operators successfully bypassed security staff, cloned an access badge and gained access to two restricted floors. The test revealed procedural weaknesses in visitor management and a reliance on outdated badge configurations.
The outcome was a positive one: no assets were compromised, but the client gained critical insight into vulnerabilities, retrained their staff and restructured visitor badge permissions. This case demonstrates how controlled penetration testing can expose gaps before adversaries exploit them.
Background & Client Need
The client operated a multi-storey corporate headquarters in central Manchester. Hosting sensitive project teams, financial operations and senior executives, the building was a critical hub for both day-to-day activity and high-value negotiations.
The client’s objectives were clear:
Assess resilience of physical access controls, including badge systems and visitor protocols.
Test guard procedures and staff awareness under realistic adversarial pressure.
Demonstrate potential impact of unauthorised access without disrupting operations.
Provide actionable remediation guidance to strengthen overall resilience.
Underlying this was a recognition that competitors, activists or hostile insiders could attempt physical entry as part of wider intelligence-gathering or disruption campaigns.
The Challenge
Physical penetration testing presents several unique challenges:
Blending with the Environment
Operators must realistically simulate adversaries — from corporate visitors to contractors — without arousing undue suspicion.Bypassing Modern Access Controls
Badge systems, visitor kiosks and security turnstiles present technical and procedural hurdles. Weaknesses often arise not in the technology itself, but in how it is implemented.Testing Staff Vigilance
Front-line guards and reception staff are critical. Their willingness to challenge, escalate or permit access defines the effectiveness of security.Managing Risk
Unlike adversaries, penetration testers must ensure zero operational disruption, no harm to staff and no damage to property. Engagements must remain tightly scoped and controlled.
In the client’s case, the building was already perceived as secure, with security staff present 24/7. The challenge was to demonstrate whether that perception matched reality.
Our Approach
We followed a four-phase red-team methodology:
1. Scoping & Planning
Agreed with the client’s security director on objectives, boundaries and success criteria.
Defined rules of engagement: no network intrusion, no data exfiltration and no interference with business operations.
Conducted an external reconnaissance of the building: staff routines, badge protocols, contractor entrances.
2. Pretext & Access Strategy
Developed cover stories (pretexts) aligned to building operations — including a contractor role and a scheduled visitor.
Prepared equipment for badge cloning and covert entry attempts.
Selected entry windows where building traffic was highest (early morning and lunchtime).
3. Execution
Attempted entry through the main reception using visitor badge protocol.
Shadowed legitimate staff through turnstiles (tailgating test).
Conducted badge cloning exercise using a concealed reader near staff in a public setting.
Tested lock bypass on an internal office door.
4. Reporting & Debrief
Provided immediate verbal debrief to the security director.
Produced a detailed written report with screenshots, photos and technical notes.
Recommended remediation measures categorised into policy, training and technology.
Findings
The penetration test yielded several important findings:
Visitor Badge Weakness
A visitor badge obtained during the engagement provided unrestricted lift access to all floors. This was a procedural misconfiguration, as visitor badges should have been limited to a single meeting room floor.
Implication: Any adversary able to obtain a visitor badge could access executive and restricted floors.
Tailgating Vulnerability
During peak morning hours, our operator successfully entered behind a staff member without being challenged by reception or security staff.
Implication: Reliance on turnstiles alone was insufficient when staff awareness was low.
Badge Cloning
Using a concealed RFID reader in a nearby café, we cloned an employee’s access card. The cloned card functioned successfully on building turnstiles.
Implication: Badge encryption was insufficient to prevent cloning with readily available tools.
Lock Bypass
An internal office door secured with a low-grade lock was bypassed non-destructively using standard door bypass techniques.
Implication: Sensitive areas within the building were not adequately protected against basic physical attacks.
Outcomes & Remediation
The client took immediate and longer-term remediation steps:
Visitor Badge Controls
Reconfigured visitor badge templates to restrict lift access.
Implemented escort-only policy for visitors beyond reception floors.
Staff Awareness Training
Conducted refresher training for guards and reception staff on tailgating challenges.
Introduced “challenge-friendly” culture where staff are empowered to question.
Badge Security Upgrade
Initiated migration from legacy RFID badges to modern encrypted smartcards and use of pins.
Introduced randomised access audits.
Internal Lock Upgrades
Replaced vulnerable internal locks with higher-grade cylinders.
Instituted periodic lock audits as part of facilities management.
Value to the Client
The engagement delivered clear and measurable value:
Proof of Concept
The test provided tangible evidence of vulnerabilities, making the risk real to executives and stakeholders.Enhanced Training
Security staff received specific lessons derived from real-world scenarios.Improved Resilience
Technical upgrades to badge systems and locks reduced the likelihood of future exploitation.Governance & Assurance
The findings were logged in the organisation’s risk register, demonstrating compliance and proactive risk management as part of ISO certification.
Why This Matters for Other Organisations
Physical penetration testing is not about embarrassing security teams — it is about uncovering blind spots before adversaries do.
For organisations in finance, law, technology or critical infrastructure, the consequences of unauthorised entry can be severe: stolen data, planted devices, reputational fallout or compromised negotiations.
This case demonstrates that perceived security does not equal real security. Regular testing, particularly by external red teams, provides assurance that controls are effective under real-world pressure.
Closing Note
For this client, the engagement underscored a fundamental truth: physical security must evolve alongside cyber. The vulnerabilities we uncovered were not exotic or theoretical — they were simple, avoidable oversights. By addressing them, the client not only strengthened their physical resilience but also reinforced their overall security posture.
If your organisation requires assurance that its physical security is truly effective, our red-team operators can deliver controlled penetration testing engagements tailored to your environment — with actionable outcomes and zero operational disruption.