This is not a marketing document.
It’s a text heavy guide to compliance for those looking to:
1) Sell physical testing as part of a cyber penetration testing service.
2) Sub-contract out physical penetration testing elements.
3) Re-sell Styx Security’s services.
4) Get into physical penetration testing – this is the part YouTube doesn’t show you.
Authority, Risk and Execution
This document shows the key steps to obtaining lawful authority, the stakeholders who need to be involved and what sub-contractors expect, prior to showing up for an operational day.
If you’re a cyber company who has been asked to perform a physical penetration test as an add on and wants to sub-contract for the operational day, you need to read this before even booking the scoping call. It’s essentially a nicely presented version of many of our internal processes from enquiry to exfiltration.
Audience
We’re aiming this mostly at the security industry, but we’re sure it will be useful for potential customers doing their due diligence. You’ll notice a lot of joviality in our work when you see things like the Miscreant Creche. This document is an insight into how seriously we take it underneath and how our attention to detail keeps ourselves and stakeholders safe – and on the right side of the law.
This isn’t a training manual.
If you’re planning on running a physical penetration test as an add-on service, and you’ve not been on a training course to learn the basics, you are diving head first into trouble. This document will give you some familiarity with the compliance obligations, but it’s not going to show you how to perform a risk assessment for a team of people who are removed from the protections a building normally provides (fire evacuation protocols, breaching physical safety protections, entering locked service floors, etc).
Where the Joking Stops
These are the standards that Styx Security Ltd adheres to, whether we are running a physical test or being sub-contracted. We, alongside any other reputable contractor, will not execute on a physical test without being entirely satisfied of the lawfulness of the intended plan. You’ll find Styx Security to be exceptionally serious on this point as it protects our customers, the industry’s reputation and us from taste-testing prison food.
Compliance is where the joviality stops.
If the types of trespass, directed Vs intrusive surveillance, collateral intrusion, OPORD and Operational Plan aren’t familiar to you, we want you to stop thinking about running a physical penetration test. That does not mean you can’t offer it as a service, but you will need to sub-contract someone to lead it and accept the cost that comes with it.
Put Off?
The compliance-heavy nature of physical penetration tests is why we often try to move companies towards adversarial testing and/or security awareness engagements. Unless there is a contractual, legal or other compliance driven need for pen testing, there’s usually far more value to be found in our other services.
Billable hours are much better spent examining your controls, rather than chasing signatures and versioning risk assessments. Consider our other services, unless you absolutely must have a penetration test. The financial cost can be halved, the organisational burden is probably a tenth and the findings are usually far more numerous and more actionable.
Styx Security 