Operator Capabilities
Tradecraft.
The skill sets behind every tier. Each capability is a tool our operators bring to the engagement. Partners select a service tier. These are the methods we use to execute it.
Domain 1
Reconnaissance and Targeting
Building the operational picture before anyone moves. Every engagement starts with understanding the target, its patterns, its systems, and its blind spots.
OSINT Collection
Open source intelligence gathering on facilities, personnel, vendors, and technology using publicly available data.
Surveillance and Pattern-of-Life Analysis
Observing facility operations and security response patterns to identify windows of opportunity.
Drone Operations
Aerial reconnaissance, perimeter mapping, entry point identification, visual intelligence collection, and counter-drone response testing.
RF Environment Survey
Mapping the radio frequency environment within and around the target facility to identify wireless attack surface.
Domain 2
Access and Entry
Getting through the perimeter. Physical controls are the first line of defense, and the first thing we test.
Access Control Exploitation
Full-spectrum testing of physical access control systems — from unencrypted credential cloning to encrypted credential analysis, reader bypass, and head-end exploitation.
Lock and Barrier Bypass
Nondestructive defeat of mechanical locks and physical barriers using covert entry techniques.
Concealed Methods of Entry
Gaining access through methods designed to leave no visible evidence of intrusion. The target does not know we were there unless we tell them.
Social Engineering
Exploiting human trust to gain physical access — pretext development, impersonation, and in-person manipulation techniques.
Domain 3
Close Access Cyber Operations
Cyber effects delivered from physical proximity. These techniques operate from inside the facility, adjacent spaces, parking lots, and lobbies to exploit what remote assessments cannot reach.
Close Access Reconnaissance
Attack surface mapping from inside the environment once physical access is established.
Close Access Exploitation
Active exploitation of opportunities identified during reconnaissance — credential harvesting, wireless attacks, and payload deployment from within or adjacent to the target.
Persistence and Lateral Movement
Expanding from an initial foothold to demonstrate domain-level impact. Validates whether detection and response controls catch an active compromise.
Implant Deployment
Placement of network implants with remote access validation and handoff to the partner cyber team. Simulated placement available where live deployment is outside the rules of engagement.
Network Tap Deployment
Passive traffic collection from internal network segments with remote access handoff to the partner cyber team.
Domain 4
Impact Demonstration
Proving the consequences of access. These techniques document the real-world impact of a physical compromise and provide the evidence that drives remediation.
Physical Exfiltration
Removal of target assets from the facility as proof-of-concept — documents, credentials, prototypes, devices, or other high-value items. Demonstrates the tangible consequences of a physical security failure.
Covert Observation Placement
Concealed sensor placement to document security control effectiveness over time. Provides objective evidence of security posture during unmonitored periods.
Data Collection and Evidence
Documenting the real-world impact of access achieved. Every finding is evidence-backed and tied to a compliance control.
Domain 5
OT/ICS Operations
Operational technology sits at the intersection of physical access and cyber impact. These capabilities target the control systems, building automation, and industrial infrastructure that traditional IT assessments never reach.
OT/ICS Reconnaissance
Passive asset discovery, protocol identification, IT/OT segmentation assessment, and attack vector analysis across converged environments.
OT/ICS Exploitation
Identifying real-world attack paths that exist once an operator reaches the OT network.
OT/ICS Impact Demonstration
Controlled proof-of-impact on isolated or non-production systems. Demonstrates consequence without operational risk.
Building Automation and Physical Security
Assessment of building management systems, video surveillance infrastructure, alarm systems, and integrated physical security platforms.
Industrial Control Systems
Assessment of industrial control systems across manufacturing, energy, and critical infrastructure environments.
Capability meets compliance.
Every skill on this page maps to a finding in your client's compliance report. Talk to us about which capabilities match your next engagement.