Original Research

Locks & Leaks

Risk, resilience, and red teams! Promoting and supporting the Physical Red Teaming profession, along with articles, tutorials, and stories about physical security, red teaming, and security risk management.

So you want to become a physical red teamer?

Historically, physical red teaming has been relegated to a sub-role of other professions. It may be one of many day-to-day responsibilities for cybersecurity red teamers and security consultants, and our not-so-secret goal at Locks & Leaks is to pull physical red teaming into the realm of a standalone profession instead. Only a select few security professionals get to say that they run physical red teams full-time, despite the need for this role increasing across the industry. So, what does it entail to break into a profession that breaks into the most secure facilities and systems on the planet? Locks & Leaks is currently the only publication to provide public and detailed information aimed at growing and maturing physical red teaming as a profession and a career path.

Let’s jump in.

State of the State

Who conducts physical red teaming in the United States? If you took a sample of 100 physical assessments occurring in a given month, who are the operators carrying out those assessments and what companies are they working for? Unlike well-established professions, physical red teaming does not have a clear career path. To become a physical red teamer, it is essential to understand how today’s red teamers got into their roles, who they work for, and what skills are needed to join them.

Of those 100 assessments, here are the positions and types of companies that they are working for.

  • Direct Employment: Your mileage may vary internationally; however, specific to the United States, there are an estimated dozen or fewer dedicated in-house organizations with physical red teams, many of them within government. In U.S., this means that you can safely assume there are under 100, and likely under 50, physical red teaming professionals who are hired directly to run tests against security systems for a company or government agency full-time. The market is small, insular, and difficult to break into.

    • Example: If, let’s say, Google hires a full-time Physical Red Team operator to run assessments against Google’s offices and data centers.*

    • Approach: From 2020 onward there were, on average, 2-3 U.S. job postings each year for these types of positions. You can read the descriptions here. If this is a route you want to pursue, I recommend tailoring your resume to the descriptions and gaining the skills and experience to meet the job requirements. That way when these highly sought after jobs open up, you will be ready to pounce as a competitive candidate.

    • Personal: This is how Ana – one of the Locks & Leaks authors – started her red teaming career. She joined Shawn in this role, though Shawn originally started his red teaming career in physical security consulting (see below).

  • Directly Employed (Physical Part Time): Companies, who recognize the need for red teaming but are unable or unwilling to hire a full-time team, may ask security professionals in other roles to dedicate a percent of their time to conducting physical red team assessments. This is more common than direct employment.

    • Example: If an oil company asks two employees on their Executive Protection team to join three employees from the Crisis Management team to conduct one red team assessment each quarter taking up no more than 20% of their total working hours.

    • Approach: These positions are nearly impossible to find externally. It is rare, but not unheard of, for a company to post a physical security position that also has part-time red team responsibilities. This path is likely the hardest option to directly pursue; however, if you can find a company that has this setup, I recommend doing informational interviews with one or two people who work in this hybrid role, gathering information on the best position to pursue and skills you would need to join them, and then applying for roles within physical security organization at this company.

  • Directly Employed Cyber (Physical Within Role): Many in-house cyber red teams will also conduct physical assessments, either as part of a larger cyber assessment or as a stand-alone assessment. This is the most common way that red team tests are conducted in-house; however, I would argue from experience that this also has the worst return-on-investment for security teams.

    • Example: If a large bank’s cybersecurity red team conducts two physical assessments each year, one focused on the offices and the other on data centers and infrastructure. All operators during the assessments are within the cybersecurity red team.

    • Approach: Search for job descriptions for “Red team” or “penetration testing” that also have the word “physical” in them. In 2023, TikTok posted many of these. If you have job alerts for “physical” and “red teaming”, then these are the types of jobs you will see most often. To pursue this route, you must first begin by gaining the requisite skills and experience to join a cybersecurity red team. Try to join a cybersecurity red team that has willingness, interest, or history of conducting blended physical/cyber attacks. Partner with the physical security team and work yourself into being the team’s liaison between the cybersecurity and physical security teams. Understand the needs, strengths, and pain points of the physical security teams, and run tests in partnership with them, or that help support their goals. Remember, you’re not a real adversary, you just play one in a movie. If you want to be the physical security-oriented cyber red teamer, find as many collaborative, joint learning, and other partnership opportunities with your physical security partners as possible.

  • Consulting (Physical Only): There are a bevy of security consulting companies who conduct physical red team assessments. Most of these firms do general physical security consulting, training, and risk assessment work with some red teaming, as needed. However, there are very few who are primarily or solely focused on physical red teaming (full disclosure, and as you may have been able to guess, the authors of this Substack own one of those few companies).

    • Example: Physical security consulting firms that also do some red teaming: The CORE Group & Rozin Security.

    • Approach: Many security consulting firms hire 1099 (independent contractors) more often than W2 (employees). To pursue this option, find a list of consulting firms that also do red teaming (as an aside, get good at Google Dorking or using Boolean logic searches on Google. This will be essential for any OSINT work you do, and it will help you find security consulting companies). Thus begins your first red team assignment: research who works for those companies and the skills they have, and begin gaining those. Become familiar with various physical security standards. Connect with consultants at the firms you are interested in, apply for jobs, or send your resume in and offer your services on risk assessments, red teams, or other consulting work they have. As always, be careful with signing contractual obligations that may limit your ability to move into roles better suited for your career goals. If you are already consulting and conducting risk assessments for clients, try doing walk-throughs where you actually test whether their duress alarm does what they say it does, or whether a piece of metal or canned air can unlock their perimeter doors from the outside. From there, ask if you can do a small nighttime or social engineering assessment to gather more information for the risk assessment. Slowly begin adding more penetration testing and hands-on work to your risk assessments until you approach a full-scale red team assessment. As always, make sure to get permission, in writing, for everything you do at a client’s site.

    • Personal: This is how I (Shawn), one of the Locks & Leaks authors, started my career, before being hired by Facebook (now Meta) in a “Directly Employed” role to build the company’s first physical security red team.

  • Consulting (Cyber-Physical): In my estimation, if you took the sample of 100 physical red teams that are conducted each month in the U.S., this category would be the most common. Many cybersecurity consulting firms also have physical red teaming capabilities, and companies hire cybersecurity consulting firms far more often than they do physical security consulting firms. Therefore, the group of red team professionals that has the most direct line to sell a client on a physical red teaming engagement is the cybersecurity consulting firm that has already been hired by the client. In other words, a physical red teamer working at a cybersecurity consulting firm is likely to see the greatest number of engagements.

    • Examples: Coalfire and Lares are two cybersecurity consulting firms that also carry out physical red team assessments.

    • Approach: Admittedly, I have the least knowledge in this category, so if you are interested in pursuing this route, I recommend speaking to professionals at these cybersecurity consulting firms to learn more. To pursue this route, simply combine the cybersecurity (in-house) and physical security consulting recommendations above. Look at current professionals in these roles (LinkedIn), gain relevant skills and experience, apply to jobs, reach out and connect with current consultants, and send in your resume. There are several well-known red teamers who have worked at these firms and are prolific speakers and publishers – they are likely easy to find and will offer career advice or connections for burgeoning physical red teamers.

If you want to break into red teaming, find one of the above career entry points and figure out the skills you need or have to get into that position. Find professionals in those positions and interview them or ask for mentorship. Start making the connections, gaining experience, and tailoring your resume early so you are ready when a position gets posted or someone in your network asks for your resume.

Lastly, treat every conversation you have along the way as an interview. Red teaming is a small community, and your reputation matters. Make it easy to meet with you, be professional in your communication and approachable in your demeanor, send a thank you and even send post-meeting notes if you are ambitious. As you come across articles relevant to certain professionals you have spoken to, share them in a message. Keep the lines of communication open, stay relevant, show your interest, and good things will happen.

For those looking for a more tangible, specific, and approachable path to becoming a physical red teamer, look no further. Part 2 of this four-part series will cover the Twelve Steps to Becoming a Physical Red Teamer.

*Note 1: Example above is hypothetical and likely not the real red team setup that those organizations currently have.

Note 2: If you are an industry insider and have different perspectives, more information, or additional advice to the next generation of red teamers, please send it my way. I will append it to the post so aspiring red teamers can learn from different industry perspectives.

Security Assurance & Stress Testing