Operator Capabilities
Tradecraft.
The skill sets behind every tier. Each capability is a tool our operators bring to the engagement. Partners select a service tier. These are the methods we use to execute it.
Domain 1
Reconnaissance and Targeting
Building the operational picture before anyone moves. Every engagement starts with understanding the target, its patterns, its systems, and its blind spots.
OSINT Collection
Open source intelligence gathering on facilities, personnel, organizational structure, vendors, and technology stacks using publicly available data.
Surveillance and Pattern-of-Life Analysis
Observing facility operations, shift changes, delivery schedules, employee behaviors, and security response patterns to identify windows of opportunity.
Drone Operations
Aerial reconnaissance for facility mapping, perimeter assessment, roof access evaluation, and identification of physical security gaps not visible from ground level. All operations conducted within FAA regulations and client authorization.
RF Environment Survey
Mapping wireless access points, RFID system types, Bluetooth devices, IoT deployments, and other radio frequency emissions within and around the target facility.
Domain 2
Access and Entry
Getting through the perimeter. Physical controls are the first line of defense, and the first thing we test.
Access Control Bypass
Exploiting electronic access control systems including RFID badge cloning, Bluetooth relay attacks, credential replay, and system-level vulnerabilities in card readers and controllers.
Lock and Barrier Bypass
Nondestructive defeat of mechanical locks, padlocks, deadbolts, crash bars, and other physical barriers using picking, impressioning, bypass tools, and other covert entry techniques.
Concealed Methods of Entry
Gaining access through methods designed to leave no visible evidence of intrusion. The target does not know we were there unless we tell them.
Social Engineering
Pretext development, impersonation, pretexting phone calls, tailgating, piggybacking, and other techniques that exploit human trust rather than technical controls.
Domain 3
Proximity Exploitation
Cyber effects from physical proximity. These techniques operate from parking lots, lobbies, adjacent offices, and other locations near the target, often without entering the building.
Close-Proximity Wireless Attacks
Exploiting Wi-Fi networks accessible from outside the client's controlled perimeter. Includes rogue AP deployment, evil twin attacks, wireless credential harvesting, and WPA handshake capture from adjacent spaces.
Bluetooth and RF Interception
Targeting Bluetooth-enabled devices, Zigbee networks, IoT sensors, and other RF communications within range of publicly accessible areas. Includes relay attacks against Bluetooth access control systems.
Exploitation Implant Placement
Deploying passive network taps, rogue wireless access points, USB implants, keystroke loggers, and other exploitation hardware at designated targets for the partner's cyber team to activate remotely. Where live implantation is outside the ROE, we conduct simulated placement with documented proof-of-access.
Network Tap Deployment
Installing covert network taps on wired infrastructure to provide the partner's cyber team with persistent, remote access to internal network segments.
Domain 4
Persistence and Collection
Maintaining access and gathering evidence. Once we are in position, these techniques validate the real-world impact of the access we achieved.
Cyber Hygiene Inspection
Documenting unlocked workstations, exposed credentials, unsecured removable media, visible passwords, unattended authentication tokens, and other operational security failures that amplify the impact of physical access.
Covert Observation Placement
Positioning cameras or recording devices to document security control effectiveness, guard response times, and facility operations during off-hours and unmonitored periods. All placements conducted within applicable laws and client authorization.
Data Collection and Exfiltration POC
Proof-of-concept demonstration that sensitive data (documents, credentials, removable media, screen captures) can be collected and removed from the facility. Validates the real-world consequence of physical access.
Persistence Validation
Testing whether access, once established, can be maintained across shifts, guard rotations, and security protocol changes. Validates whether detection and response controls catch an ongoing physical compromise.
Capability meets compliance.
Every skill on this page maps to a finding in your client's compliance report. Talk to us about which capabilities match your next engagement.