2Badge cloner · side door125kHz clonable badge · T1556-phys
3Loading dockunmonitored · no CCTV
4Server-room door proppedunsecured MDF
Objective: reach server room - ACHIEVED in 11 min (sample)
Critical
High
Medium
Low
Operator path
What is Physical Pentest?
Physical penetration testing is an authorized, real-world assessment in which testers attempt to bypass your physical security controls - tailgating through doors, cloning RFID badges, picking or bypassing locks, and using pretext to talk their way past reception - to reach sensitive areas such as server rooms, wiring closets, and workstations. CyberXplore runs senior-led, fully manual physical engagements that combine on-site covert entry with social engineering and post-access network footholds, then deliver evidence-backed findings and pragmatic remediation. Our testers hold OSCP, CRTP, and CREST credentials, and every engagement runs under strict, written rules of engagement.
PTESOSSTMMNISTISO 27001MITRE ATT&CK
Why CyberXplore
Senior-only testers (OSCP, CRTP, CREST)
ISO 27001 & ISO 9001 certified
Free retest + attestation letter
Tailored scope and quote in 24 hours
Why it matters
Your firewalls and EDR are irrelevant if an attacker can walk in, plug into a network port, or carry a server out the door - physical access often defeats every digital control at once.
Tailgating, propped doors, unmonitored loading bays, and helpful staff are exploited daily; most organizations have never tested whether their badges, locks, and reception process actually stop an intruder.
Cloned or default RFID badges and weak mechanical locks give attackers persistent, low-noise access to floors and server rooms that no SIEM will ever flag.
Frameworks like ISO 27001, SOC 2, and PCI DSS require effective physical and environmental controls - independent physical testing provides the evidence and assurance that they work.
Aligned with industry standards: PTES · OSSTMM · NIST · ISO 27001 · MITRE ATT&CK
Our methodology
01
Scoping & Rules of Engagement
We agree target sites, in-scope buildings and floors, permitted techniques, safe words, emergency contacts, and a signed authorization (get-out-of-jail) letter so testing is safe, legal, and deniable to general staff.
02
Reconnaissance & OSINT
We profile the facility remotely and on foot - entry points, guard rotations, badge readers, loading docks, smoking areas, supplier uniforms, and staff details - to plan credible pretexts and entry routes.
03
Covert Entry & Badge Attacks
We attempt tailgating and piggybacking, clone or replay RFID/NFC badges with long-range readers, bypass or pick locks, defeat door sensors and request-to-exit gadgets, and test mantraps, turnstiles, and after-hours access.
04
Pretext & Social Engineering
Using reception, delivery, contractor, and IT-support pretexts, we test whether staff challenge visitors, enforce sign-in and escorts, and resist requests that grant access to restricted areas.
05
Objective Execution & Network Foothold
Once inside, we pursue agreed objectives - reaching the server room, photographing sensitive documents, accessing unlocked workstations, or dropping a rogue device on the internal network to demonstrate true business impact.
06
Reporting, Debrief & Retest
We deliver a narrative attack walkthrough with photographic evidence, severity-rated findings, and prioritized remediation, walk your team through it, and re-test fixed controls - included free.
Tailgating, piggybacking, and unescorted-visitor access
RFID/NFC badge cloning, replay, and default/duplicate card attacks
Mechanical lock picking, bumping, and bypass (latches, padlocks, deadbolts)
Door hardware bypass - request-to-exit sensors, magnetic locks, door gaps
Reception, visitor sign-in, and escort policy testing
Pretexting as delivery, contractor, IT support, or new employee
Server room, wiring closet, and data-center access
Unattended workstation, clean-desk, and sensitive-document exposure
Rogue device / network drop and physical-to-network pivoting
What you get
Executive summary translating physical risk into business impact for leadership
Narrative attack walkthrough documenting each entry and objective achieved
Detailed findings with severity ratings, photographic evidence, and locations
Prioritized, practical remediation guidance for controls, hardware, and staff awareness
Free retest of remediated controls with a verification letter
Attestation letter for auditors, customers, and compliance (ISO 27001, SOC 2, PCI DSS)
Sample deliverable
What you'll see in your report
Every engagement ends with a clear, prioritized report: severity-rated findings with CVSS scores, affected assets, and remediation status - plus a free retest. The figures below are illustrative.
Findings by severity
12 total
Critical
2
High
6
Medium
3
Low
1
Critical · CVSS 9.6CX-1220
Full domain compromise (Domain Admin obtained)
MITRE T1003CORP domainOpen
Critical · CVSS 9.0CX-1214
EDR bypass - payload executed, no alert raised
MITRE T1562ws-022.corp.localOpen
Illustrative red team assessment sample - anonymized to example.com.
High · CVSS 8.0CX-1202
Spear-phishing → initial access (38% click rate)
MITRE T156624 of 63 employeesOpen
Want the full anonymized sample report? We'll include it with your quote.
“As an early-stage team we needed real depth, not a checkbox scan. They hardened our LLM product and walked us through every fix.”
Hardened in 30 days
FC
Founder & CTO
Early-stage AI startup · Seed · LLM product
AI / ML
Certifications held by our testers
OSCP
CRTP
CREST
CEH
eWPTX
ISO 27001
ISO 9001
Frequently asked questions
Yes. Every engagement runs under a signed authorization and rules of engagement that define in-scope sites, permitted techniques, working hours, and emergency contacts. Testers carry a get-out-of-jail authorization letter and never force entry, cause damage, or put people at risk.