Original Research

Locks & Leaks

Risk, resilience, and red teams! Promoting and supporting the Physical Red Teaming profession, along with articles, tutorials, and stories about physical security, red teaming, and security risk management.

The mission of Locks & Leaks is to promote the physical security red teaming profession, elevate the discipline, and develop a practitioner community to advance and mature red teaming tradecraft. Our core is red teaming – but our mission is ultimately to help our organizations (and blue team partners) make better security decisions and systems. To do this, we need effective and mature security risk management – a concept that frequently eludes even the best-staffed security organizations.

Below is an outline of the L&L structure. As new posts are published, the below text will turn to links.

Locks & Leaks Overview

PhySec Red Teaming Introduction

  • PhySec Red Teaming Overview

  • What’s the Point? Why do organizations conduct physical red team assessments, and who should do it?

  • Red Team Resources: Equipment, vendors, job descriptions, and training resources [Github – updated monthly]

  • Types and Approaches

    • Cyber vs. Physical

    • Internal vs. External

  • Ethical Considerations – An Introduction

  • Legal Implications of Red Teaming

PhySec Red Teaming as a Profession

  • Breaking Into the PhySec Red Team Profession

  • Growth as a PhySec Red Teamer

    • You’re through the door and are now a red team professional, now what?

  • What does maturity look like?

    • Envisioning a robust and mature PhySec red team profession.

  • Red Team Analysts

    • The secret weapon on a team full of secret weapons.

    • Perspectives: Analyst | Manager

  • 12 Tradecraft Talents

    • The areas of expertise that can position you as a sought-after operator for red teams (or broader security teams).

Red Team Types & Targets

A series on how to safety test non-traditional security teams.

  • Breaking into Buildings (BiB)

  • Executive Protection

  • Event Security

  • Mail Screening

  • Security Awareness (tailgating, unescorted visitor, etc.)

  • Crisis Management

  • Data Centers

  • Analytical Red Teaming

  • Countersurveillance Detection Teams

  • TSCM Program Testing

  • Training Staircase (Training, Workshop, Drill, Exercise, Red Team)

Red Team Tradecraft

  • Tradecraft Overview

  • Red Team Tools

  • Surveillance


  • Probing (TED – Try Every Door)

  • Door/Lock Bypass Options

  • Lockpicking

  • The state of RFID Hacking, badge cloning, and access control exploitation

  • Social Engineering

    • Ethics & Social Engineering

    • Cover Stories & Escape Plans

  • Destructive Entry

Building a Red Team

  • Build vs. Buy Decision (Part 1, Part 2)

  • Choose a Red Team Model

  • The Foundation

  • Red Teaming in Industry Standards

  • Key Partners for physec red teams

    • Internal: Within the PhySec Org

    • Internal: Across your Company

    • Internal: With other company red teams

    • External: Across the Industry (RT vendors, exploit vendors, other RTs)

  • Governance Documents (Red Team handbook, communications plan, etc.)

  • “That’s On Me”: Owning Red Team Mistakes and Misfires

  • Legal Eagles: When and how to work with your legal team

  • CMMI for Red Teaming: Certifying that you have de-risked your red team

    • De-Risking the Red Team: Legal considerations

  • 12 Step Roadmap to Starting a Red Team

How to Prioritize as a Red Team

  • Overview

    • BANPE: Brainstorm, analyze, narrow, prioritize, execute

  • Poison Circles

  • Threat Modeling

  • Tactics

    • Threat Actor Identification, TTP review, and complexity determination

  • Types of Tests

    • Scratching the Surface vs. Deep Dives

    • Threat-Focused Tests

    • Vulnerability Focused Tests

    • Asset & Impact Focused Tests

  • Prioritizing Frameworks and Templates

    • Using Planning to Promote Buy-In

    • Prioritization Factors

    • [Resource] Prioritization Template

  • Monthly Vendor Testing

Covert Chronicles

Sanctioned crime stories and lessons learned while (mostly) safely conducting red team assessments:

  • Long Guns & Lessons Learned

  • All It Takes is a Vest

  • My First Time

  • When the Red Team gets Red Teamed

  • “Please Stop Chasing me, over”

  • Hiding a Secret Safe

  • Low-Speed Chase

  • Scooter Surveillance

Red Team Lifecycle

A step-by-step guide on how to carry out your red team

Phase 1: Proposal

  • Will you Red Team Me?

    • What is a proposal, and why write one? Learn how to proactively address detractors, gather buy-in, ensure safety, and get CYA approvals.

  • Scoping a Red Team Assessment

  • [Resource] Red Team Proposal Template

  • Safety & Security Considerations

    • [Resource] Template and Examples

    • Armed Security & Law Enforcement

Phase 2: Planning

  • Resource Allocation, Timeline, & Budget

  • Communication Plan

    • Stakeholder Engagement planning, and creating the appropriate communication channels (internal within the team, external to various people, law enforcement notification, etc.)

  • Go/No-Go Decision

  • Letters of Authorization (LoA)

    • [Resource] LoA Template

Phase 3: Execution

  • Safety Briefing, Notifications, and Communication

  • STOPOP: Knowing When to Stop

Phase 4: The Aftermath

  • Closeout: Ending the Operation (how to STOPOP)

  • Tagalong Tasks

    • Actions to take 1 minute, 1 hour, 1 day, and 1 week after STOPOP

Phase 5: Reporting

  • Communicating Findings to Leadership

  • Writing a Red Team Report

    • [Resource] Red Team Report Sections (describing vulnerabilities, severity, complexity, and potential mitigation options)

*Phase 6: Vulnerability & Risk Management

  • Who Tracks Red Team Findings?

    • Vulnerability & Risk Management Teams

    • The Red Team

  • Ways Tracking Red Team Findings

  • Convincing Leadership to Mitigate Risks

*Phase 7: Trend Analysis

  • Identifying and Highlighting Trends in Red Team Findings

Phase 8: Retesting

  • Retesting Overview


*Typically not completed by the red team.

Red Team Lifecycle for Consultants

The lifecycle of conducting a red team assessment should largely follow the above lifecycle. Several additions are essential for third party consultants:

  • When to Red Team: More importantly – recognizing when a client is not ready for a physical penetration test.

  • Proposal: Drafting a business proposal and Statement of Work

    • Identifying which phases the client wants involvement with.

Want to help?

If you have expertise, experience, insight, or interest and you can contribute, please email us. We are always looking for writers, different perspectives, resources, and more.

Physical Red Teaming & Penetration Testing