Penetration Test

We were asked to conduct a physical penetration test of a large stately home which had recently spent a significant amount of money on additional security infrastructure.

The director of the estate, which houses high-value assets and is open to the public, wanted to know whether the security measures that had been recently implemented, were fit for purpose.

We deployed our penetration testing team to the estate for four days. The first phase comprised two days of reconnaissance, during which the team:

• Exploited public access routes and footpaths to identify potential avenues of approach;
• Used UAVs to confirm / deny publicly inaccessible security infrastructure across the estate and at the house;
• Conducted open source research to find legacy floorplans on the internet, identify lock types, recognise employees and family members;
• Booked onto a house tour under a pseudonym to conduct covert hostile reconnaissance;
• Geolocated the target room and examined the house for potential climbing routes using Google Street View;
• Designed replica estate high-vis jackets to look familiar to employees; and
• Initiated false security incidents on the estate to test response times.

The team then conducted a planning phase to evaluate the three best courses of action which would allow a covert raid on the house; considering both day and night options.

On the fourth day, two members of the team successfully conducted the raid on the house.

Following the penetration, we provided the client with a written report detailing our findings, including identified vulnerabilities, planned courses of action and reasoning, and recommendations for proportionate, cost-effective, and fit for purpose additional physical, technical, and procedural security measures.