On-site physical security assessments and authorized physical penetration testing for organizations that need to validate real-world protections around people, facilities, and critical assets. Work is performed in San Diego, CA and surrounding areas only.

This service is designed to answer one simple question: “Could an unauthorized person reach what matters—without being detected or stopped?” The focus is on identifying gaps in physical controls and human processes, documenting how they were reached (within agreed scope), and delivering specific, prioritized fixes.

“Safety-first. Minimal disruption. Clear boundary conditions.”

• Damage to property, unless authorized in Rules of Engagement
• Anything outside the Rules of Engagement.
• Disruption to operations

Physical Penetration Testing FAQs

Where do you operate?
CM-SEC primarily operates in and around San Diego, California, supporting local and regional organizations with on-site physical security and red team assessments.

What exactly do you test during a physical penetration test?
We test real-world access paths an intruder would use to reach protected spaces: perimeter and entrances, reception controls, badge/door access points, tailgating resistance, internal zoning/boundaries, restricted areas (by scope), and after-hours posture. The focus is verifying whether your controls actually hold up under realistic pressure.

Do you pick locks or bypass doors?
Only if it’s explicitly authorized in the Rules of Engagement and aligned to your goals. Many engagements focus on human/process weaknesses (tailgating, challenge culture, visitor handling) rather than mechanical bypass. If any bypass activity is permitted, it’s controlled, documented, and non-destructive.

Can you test the server room / network closet / MDF / IDF areas?
Yes—if you authorize it. We can test whether those areas are actually protected (door controls, zoning, escort rules, ceiling/floor tile exposure, shared risers, etc.). We do not touch systems or plug into networks unless you specifically add that to scope. If approved, we can include light, controlled “physical-to-network” checks (such as a USB drop test or a brief connection to a designated external/wall port) to validate whether your security team’s monitoring, alerts, and response procedures activate as expected. All activity is non-destructive, time-boxed, and documented under the Rules of Engagement.

Do you break anything?
By default, physical red team engagements are non-destructive. Some risks can only be validated by demonstrating whether physical barriers actually stop an attacker—or merely slow them. Destructive testing is sometimes used to validate worst-case scenarios, justify capital improvements, or demonstrate impact to leadership when non-destructive methods are insufficient. This must be explicitly authorized in the Rules of Engagement.
Some clients require higher realism and choose to authorize destructive testing, such as:

• Forced entry against doors, locks, or gates

• Breaking windows or barriers

• Testing alarms or sensors that may trigger damage or replacement

Are you allowed to enter private offices, HR areas, or employee workspaces?
Only if you explicitly scope it. Many clients exclude HR, legal, medical areas, executive offices, and any spaces with sensitive personal data. We define “no-go” zones up front and treat them as hard boundaries.

Do you test tailgating?
Yes—tailgating is one of the most common real-world entry methods. We can measure how often staff challenge unknown persons, how well badge discipline holds, and whether “polite culture” creates predictable gaps.

Will employees know it’s a test?
You choose the approach:

• Covert: only a small group knows; measures true behavior.
• Semi-covert: management knows; staff do not.
• Overt: staff are aware; good for training days and walkthroughs.

We will recommend the model that best matches your goals and risk tolerance.

How do you avoid scaring employees or creating conflict?
We set clear safety rules: no intimidation, no aggressive behavior, no harassment, no unsafe stunts. If anyone is uncomfortable, we disengage immediately. Professional, calm, and controlled—always.

What happens if security or an employee stops you?
That’s a successful control in action. We document it and end the attempt. We also set a verification process in advance so your designated point of contact can confirm authorization quickly without escalating the situation.

How do you coordinate with guards, building management, or reception?
It depends on the test type. For covert tests, we keep knowledge limited. For overt or safety-sensitive sites, we coordinate with building management/guards so life-safety and critical operations are never impacted. Either way, we establish a single “truth line” for verification and stop conditions.

Can you test after-hours or weekends?
Yes, and it’s often revealing. After-hours posture tends to be very different from daytime. We can test locking routines, alarm response expectations, and whether “last-person-out” processes are real.

Can you test multiple sites or floors?
Yes. Multi-site engagements work well when you want to compare maturity across locations. We can normalize reporting so leadership can see patterns and prioritize fixes.

What about cameras—do you test CCTV effectiveness?
We can evaluate whether cameras provide useful coverage (blind spots, identification quality, lighting issues, placements, retention/review process). We don’t “hack cameras”—we assess whether they meaningfully support detection and response.

Do you test alarms?
We can validate alarm coverage and response procedurally (who gets notified, expected response times, escalation), and where allowed, test whether certain actions generate alarms. We do not create unsafe conditions or trigger emergency services.

Do you impersonate employees or use “social engineering”?
Only within agreed boundaries. Social engineering can range from basic “visitor” pretexts to more complex scenarios, and it can be powerful—but it must be ethical, controlled, and approved. We’ll define prohibited themes and behaviors so it stays professional.

Will you wear disguises or uniforms?
We can use simple, non-offensive role-appropriate attire (e.g., “contractor” look) if approved. We do not use law enforcement impersonation, anything that could cause panic, or anything that crosses ethical lines.

Do you take photos or video?
Evidence collection is part of a good test, but it’s controlled. We document findings with minimal exposure of sensitive information. If your organization restricts photography, we can use alternative evidence methods (notes, timestamps, escorted validation, anonymized images).

What evidence do we get in the final report?
You get clear, defensible evidence: what was attempted, what worked, what stopped us, time windows, access points used, and supporting proof (photos where allowed, notes, and references). The report is written so you can act on it without guessing.

How do you rate severity for physical findings?
We prioritize based on realistic impact: what an intruder could access, how quickly, how repeatable it is, and what the consequences are (theft, sabotage, data exposure, safety). Then we tie fixes to practical controls (hardware, process, training).

What’s the biggest value of a physical pentest vs a checklist?
A checklist tells you what should be true. A physical pentest proves what’s actually true under pressure. The gap between those two is where real incidents live.

What do we need to provide before the test?
Typically:

• Site addresses and test windows
• Scope boundaries (areas included/excluded)
• Safety constraints and stop conditions
• POC list + verification method
• Any special site rules (PPE, escort requirements, badging)
• Any “do not disrupt” operations (executive events, customer visits, critical work)

How long does an on-site test take?
Most single-site tests are 1–2 days on site depending on size/complexity, with reporting and debrief following. Larger multi-floor/multi-site scopes take longer, but we keep it fixed-fee and predictable by defining boundaries clearly.

Can you retest after we fix issues?
Yes—retesting is one of the best ways to prove improvement to leadership. We can do a tight, targeted retest focused only on corrected controls.

Have more questions? See the full list of FAQs https://www.cm-sec.com/faqs/