Styx Security was originally founded to specialise in more technical exploits which were becoming more accessible to criminals, especially on YouTube. The idea was to look for the gaps between systems and help fix these in creative and cost effective ways. I trained in physical penetration testing, ethical computer hacking, lock picking & bypass, access card cloning and so on.

Then I realised something; the persistent attacker will always get in. Whatever your threat model, the technical resources exist to ensure someone will always be able to penetrate your physical security with enough time and effort. Most larger companies have got the hardware, the systems and a security team already and it’s all too easy to dismiss covert entry methods as “James Bond stuff” which will “never happen to us”.

I also realised that, in my previous job (working for a very large organisation) I had not worn an ID badge for 9 years and no member of staff had ever stopped me, no matter how secure the area I was in. Some people simply don’t expect threats in plain sight unless they have been trained to deal with them. Others would look me up and down, trying to find the ID badge but didn’t have the confidence or training to ask “who are you and what are you doing here?” in a polite, helpful but authoritative way. Banks know how to deal with armed robbers, but do they know how to deal with the strange IT person plugging USB sticks into everything they can find? These days, which is the bigger risk to your assets?

With the correct security awareness training, you can recruit your staff to be part of your security infrastructure and therefore your solution. With direct impact testing, we can show people they should be challenging the unusual and empower them with the techniques and confidence to do so. We can show people that they can be helpful and accommodating, but still secure.

Styx Security became about social engineering and physical security awareness training, helping to audit systems as well as deliver experiential learning to your employees.

No ninja skills, no Derren Brown-esque tricks of the mind, no fancy toys.

Just security awareness training designed for humans, by humans.