The Red Team Vector That Has Not Stopped Working Since 1995

Most physical penetration tests succeed on the first attempt, and the tooling fits in a tailored suit. No zero-day. No pretext more elaborate than confidence. No badge cloner. I put on a suit and walk toward reception at the same pace as the people in front of me, smile at the receptionist already overwhelmed by the morning rush, says “I’m here for the nine o’clock with [name pulled off the company website],” and wait to be told where to sit. Inside in under sixty seconds. If someone challenges me I usually say I am here representing your auditor, they have an interest in this meeting- I have never been challenged on that one. 

Once past reception I have the run of the floor. Open laptops in hot-desk rows. Conference rooms with whiteboards that photograph themselves. A network jack under every desk. A copier with a default admin password and a hard drive that has been spooling scanned documents for three years. A printer queue full of pending payroll runs. A Post-It under a keyboard. An empty office propped open by an ergonomic chair. A server room whose door closes on a one-second delay. Forty minutes is enough to plant a Raspberry Pi behind a credenza (or the CEO’s desk - my favorite), photograph every executive’s desk on the floor, walk out with a stack of printed quarterly reports, and leave a USB stick in the kitchen that the helpful employee will return to lost-and-found by way of their workstation.

This is not novel. It has not been novel since Kevin Mitnick wore a hard hat and he was just the first of us to publish about it. What has changed is the proportion of security spend devoted to defending against it. Roughly zero. 

Boards approve seven-figure EDR refreshes and AI (usually more if u put AI on the request)red team programs while the lobby is staffed by an outsourced receptionist on a ninety-day contract whose onboarding video told her to be welcoming. Compliance manuals reference 201 CMR 17 and Reg S-P. Most of those manuals are sitting on a printer tray right now.

The financial services version is worse. Trading floors are open by design. Compliance offices have unlocked file cabinets. Server rooms in regional offices are repurposed coat closets with a card reader you walk around by way of the kitchen. The CISO has not tested any of this because the CISO has been told the perimeter is digital. The perimeter is glass and a smile.

If your last red team was scoped as phishing-only, you do not have a red team program. You have a phishing simulation vendor. The cheapest, oldest, highest-yield vector is still a stranger in a suit who looks like he belongs. He does not even need to look like much.