Penetration Testers Arrested During Approved Physical Penetration Testing

A routine physical penetration test conducted by cybersecurity professionals took an unexpected turn when armed police officers arrested two security experts during a simulated breach of a corporate office in Malta.

Physical penetration testing is a critical component of cybersecurity assessments. It evaluates not only technical defenses but also physical access controls and human response mechanisms.

While this test revealed significant vulnerabilities in the client’s security setup, it also underscored the importance of preparing for real-world scenarios where miscommunication can have serious consequences.

Penetration testers Curt Hems and his colleague from Threat Spike Labs, part of a “black team” engagement, had been hired to evaluate the physical and operational security of a client’s premises.

Their mission included bypassing security controls, accessing sensitive areas, and identifying vulnerabilities in the organization’s defenses. Over the course of two hours, the team successfully:

• Gained unauthorized access to the main office.
• Stole a key card granting access to all rooms.
• Retrieved sensitive information, including passwords.
• Simulated account takeovers on multiple websites.

“Physical penetration tests don’t always go as planned sometimes they end with flashing lights and handcuffs.” Curt Hems explained in his LinkedIn post.

Despite their success in exposing critical security gaps, the engagement ended abruptly when 11 armed police officers intervened. The testers were detained despite having authorization documents signed by the client’s general manager.

“The findings were critical major gaps in physical security, access control, and operational security. Yet, despite our success, we were ultimately apprehended. Not by security. Not by IT. But by 11 armed police officers.”

Miscommunication Leads to Escalation

The situation escalated due to apparent miscommunication between the client’s management and local authorities.

The general manager, who had approved the test, reportedly panicked when informed of the breach.

Law enforcement was called under the assumption that a real attack was underway. The testers repeatedly explained their role and presented their authorization letter, but it took time for the situation to be resolved.

This incident highlights several important lessons for organizations conducting penetration tests:

1. Improved Coordination: Clear communication between all stakeholders including management, security teams, and law enforcement, is essential to avoid misunderstandings during penetration tests.
2. Authorization Protocols: Organizations should ensure that all relevant parties are informed about scheduled tests and provided with the necessary documentation.
3. Incident Response Evaluation: The event served as a stress test for the client’s incident response procedures, revealing gaps in escalation protocols and coordination with authorities.

The testers emphasized that such engagements are designed to simulate real threats and improve organizational resilience. “In a real attack, stakes are much higher,” one of them noted.

The incident serves as a reminder for companies to ensure robust processes are in place to detect intrusions and handle escalations effectively.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates