Physical penetration testing is a core service at Valkyrie, and we conduct these assessments regularly. Depending on the client’s request, some are undertaken opportunistically, while others involve meticulous planning, including online and real-world reconnaissance. Last month, we carried out a test at a central London office—not to cause disruption, but to identify vulnerabilities and help mitigate them before someone with real intent could exploit them.
The outcome? Predictable, but concerning. Access control existed. Reception was manned. Policies and procedures were in place—but were they up to date? Were they adhered to? Or were they just a box-ticking exercise?
Despite visible security measures, a confident approach and a plausible story were all it took to walk through the door. No ID checks. No verification calls. No second-guessing. Once inside, we had unrestricted access to the office. We could have:
- Stolen sensitive documents, access cards, or company devices.
- Planted malicious software via an unattended workstation.
- Deployed eavesdropping devices to monitor activity and intercept sensitive conversations.
- Mapped security blind spots for a larger, more damaging breach
This wasn’t a sophisticated cyber-attack. It wasn’t high-tech. It required minimal planning, no advanced reconnaissance, and no specialist tools—just what the client requested: a real-world test of everyday vulnerabilities. It was social engineering at its simplest—and it worked.
Security isn’t just about firewalls, cameras, and locked doors. The real weakness is often human nature—assumptions, misplaced trust, and a reluctance to challenge. Defending against both physical and digital threats requires more than technology. It demands robust policies, regular training, and a security-conscious culture where questioning the unexpected isn’t seen as impolite—it’s seen as essential.
When was the last time you tested yours?
