Original Research

Locks & Leaks

Risk, resilience, and red teams! Promoting and supporting the Physical Red Teaming profession, along with articles, tutorials, and stories about physical security, red teaming, and security risk management.

Physical Security Red Teaming

Deemed pioneering in the public sector, only a select few organizations employ internal physical security red teams. These organizations protect some of the world’s most valuable assets and would face irreparable damage if they encountered a major breach. Technology companies such as Google, Meta (Facebook), and TikTok have posted jobs indicating they have full internal red teams, while financial institutions including UBS, Bank of America, Capital One, and other large banks that hold a significant portion of the world’s financial assets, have red teams to test their security systems. As adversaries run into more pervasive digital security measures, they are looking to physical attacks to gain information or access to internal networks. These are often called physical-enabled cyber attacks.

The global Physical Security market exceeded $127 billion in 2022, with an expected increase up to $215 billion by 2030. How do we know that these billions are keeping businesses and populations safer? There are two options that give you real data about whether these security measures work: a red team or a real world adversary tests them. Waiting for a real incident to occur can have costly and sometimes catastrophic consequences. On the other hand, a red team assessment simulates real-world incidents without introducing the same risk to people, assets, and businesses that a true adversary’s attack would. In an environment where adversaries only have to be right once, and businesses need to successfully defend themselves 100% of the time, physical security red teams identify the cracks in the defenses and proactively help fix them before an adversary tries the same approach. 

Physical Security Red Teaming Resources

To date, there is no extensive, free, or open-source information repository to support businesses who want to:

  • Build an internal red team (there are many kinds – see Types of Red Teams)

  • Hire external consultants to test their security measures

  • Improve their physical red team

  • Expand their red team scope to include physical assessments

  • Enable security teams to test themselves

Over the past two decades, we have built the first internal physical security red team at a FAANG company, consulted with many businesses who are building red teams, conducted red team assessments across the globe, taught (and continue to teach) red teaming to graduate students, presided on boards to advance the science of red teaming, helped law enforcement incorporate red teaming ideologies into training, and collaborated with hundreds of red teams from government entities, multinational corporations, and consultancies. There are ample and ever-expanding resources for cybersecurity red teams, but severely limited resources available for physical security red teams. The objective of this Substack is to provide and share resources, leading practices, strategies, frameworks, and knowledge with the physical security red teaming community.

Security Assurance & Stress Testing