top of page
  • X
  • Facebook
  • Linkedin
  • Instagram
Search

Lessons in Sunburn, Surveillance, and Security Gaps

ree

Over the last few weeks, we’ve been off the radar—but for good reason. Our team was deep in Latin America conducting forced entry prevention training and executing site assessments across three countries. It was a high-tempo, high-stakes stretch of work that spanned military installations, critical infrastructure, and some long days in the sun with very little time in the rack.


The kind of work we do in the field doesn’t just test our endurance—it constantly reinforces how layered and flawed real-world security implementation can be. Across this most recent deployment, we observed repeat issues that cut across sectors and geographies: poor system integration, outdated access control, RF vulnerabilities, and misalignments between cybersecurity and physical security. Just as importantly, we picked up lessons and patterns that consultants, security managers, and facilities teams can immediately apply.


This post is a tactical download—real talk from real engagements. We’re diving into what’s not working, what still surprises us, and what you can do to make your environment more secure, whether you're guarding a data center or a forward operating base.


Things They Don’t Teach You as a New Consultant


Travel and Sleep Management


Operational success starts with personal sustainability. One of the most underrated threats to effectiveness is exhaustion—especially on OCONUS assignments. Your travel schedule will often be dictated by the client or logistical limitations, not your ideal rest cycle. You need to build resilience into your personal operating model.


What to do:


  • Plan rest cycles: Use segmented sleep planning. Aim for two 90-minute sleep cycles over a 24-hour window when full rest isn’t possible. Bring a travel blackout mask and earplugs—both reduce cognitive fatigue when you’re trying to catch sleep between missions or flights.

  • Time zone transitions: Manage your circadian rhythm with red-light exposure at night and blue-light exposure in the morning. Consider melatonin (0.5 to 3 mg) to shift your body clock, but use only when adjusting to a new time zone.

  • Micro-rest periods: Schedule non-negotiable 15-minute wind-down periods every 6–8 hours in high-stress rotations. Use these to hydrate, stretch, and reset mentally—even if you're in the back of a car or a secure hallway.


Nutrition and Hydration


Lack of access to clean, reliable food and hydration can degrade your performance faster than almost anything else. This is even more critical in hot, humid, or high-altitude environments.


  • Water strategy: Calculate hydration targets (half your body weight in ounces daily) and exceed this in tropical or arid environments. Carry a personal filtration system like a Grayl bottle or iodine tablets for emergencies.

  • Meal logistics: Bring compact calorie-dense food (protein bars, nut packets, freeze-dried meals) for long days. If doing surveillance or forced-entry testing, pack food that doesn’t create strong odors or trash bulk.

  • Avoid dietary risk: Use sealed meals or stick to vetted local sources. Diarrhea and dehydration can end an engagement quicker than a denied badge.


Time Management During Execution


Assessments and red team ops often suffer from poor time allocation. Either you're rushing the technical work or burning team energy in down cycles.


  • Create a battle rhythm: Designate execution windows, review windows, and rest/recovery periods. Assign one team member per shift to serve as the timekeeper and progress coordinator.

  • Build in assessment slack: Plan for 25–30% of your schedule to account for unexpected delays—local interference, bad weather, equipment failure.

  • Daily operational review: Even a 10-minute evening sync (even if it’s over Signal) will help surface issues and reallocate efforts before they compound.


Language and Cultural Barriers


Communicating in a foreign country is more than translation—it’s about building quick trust and interpreting context when things go sideways.


  • Pre-deploy with phrases: Build a one-page cheat sheet of mission-critical phrases in the local language (e.g., “I need access to this room,” “Call this number,” “I’m with the team doing an inspection.”).

  • Equip for offline comms: Use offline translation apps with camera-based text capture. Many signs or facility instructions will not be in English—this is critical for access control labels, fire suppression systems, and panel instructions.

  • Cultural navigation: Consult with someone who has worked with that country’s law enforcement or security industry. Learn what’s considered polite, authoritative, or disrespectful in those contexts. Knowing how to properly approach a guard, supervisor, or building manager can be the difference between access and escalation.


Integrator-Driven Designs: The Hidden Risk


Most physical security implementations rely heavily on third-party integrators—vendors who sell and install security technologies such as cameras, access control systems, and alarm sensors. But here’s the catch: most integrators aren’t designing systems based on risk, operational need, or threat models. They’re building to maximize the sale or to fit what’s easy to install—not what actually works in the real world.


When a client hands over the full design responsibility to an integrator without oversight, what they get is often fragmented. Maybe they get great door hardware, but cameras that fail in low light. Or they get a good VMS, but badge systems that are still using 20-year-old protocols.


Even worse, you’ll see multi-vendor environments where each component was installed in isolation. One team installs card readers, another does cameras, and nobody takes ownership of how the systems interact—or whether they cover the full threat surface.


Start with a Threat-Based Design (TBD)


Before a single camera or badge reader is spec’d, perform a threat modeling session with the client. Identify key risk drivers:


  • What assets need protecting (people, IP, tech, sensitive areas)?

  • What types of threats are most likely (forced entry, insider threat, tailgating, surveillance evasion)?

  • What is the client’s risk tolerance?


Use this to build a layered defense approach, then hand requirements to integrators—not the other way around.


Create a Master System Integration Plan (MSIP)


Treat physical security like an IT architecture. Lay out how the components should interact:


  • Alarm inputs trigger camera pre-roll recording.

  • Access control events sync with logging and video overlays.

  • Intrusion sensors trigger lockdown modes or alert specific operators. You need to be the one defining these relationships—not just hoping the integrator “makes it all work.”


Write Clear Acceptance Criteria


Don’t allow vague language in contracts like “system shall provide adequate coverage.” Define exactly what acceptable looks like:


  • “All perimeter cameras must provide IR-supported footage at a minimum of 720p with subject facial visibility at 20 feet under 0.1 lux lighting.”

  • “All access control doors must log events within 2 seconds of card presentation and push those events to the centralized dashboard.”


Perform an Integration Audit Post-Install


After install, don’t assume it’s been done correctly. Validate it yourself:


  • Walk-test camera coverage at different times of day and lighting conditions.

  • Swipe test badges at controlled entries and look for logging gaps or delays.

  • Tamper with motion sensors or magnetic contacts to test response time.

  • Check cable routing, EMI shielding, grounding, and weatherproofing in field-installed enclosures.


Challenge the Sales-First Mentality


When a vendor proposes a “turnkey” package, ask these questions:


  • How is this system hardened against replay, jamming, or signal injection?

  • How does it operate in degraded modes (e.g., power failure, network down)?

  • Has it been evaluated against any formal threat models or compliance frameworks?The answers you get will tell you if the integrator actually understands security—or just how to sell boxes.


Facilities Teams Aren’t Security Experts—and That’s Okay


In many organizations, the responsibility for physical security falls to the facilities team. These teams are typically composed of skilled engineers and project managers focused on keeping buildings functional, compliant, and cost-efficient. They’re great at ensuring HVAC works, lights come on, and utilities stay online—but physical security is a fundamentally different discipline.


The challenge is that these teams are often asked to manage security vendors, approve system designs, and validate installations without any training in adversarial threat modeling, vulnerability detection, or operational defense planning.


What this looks like in the field:


  • Access control panels installed in unsecured MDF closets.

  • Surveillance systems with no blind spot analysis, poor retention settings, or default passwords still active.

  • Tamper switches disabled “because they kept tripping,” with no investigation into why.


None of this comes from negligence—it’s simply a lack of context and guidance. And that's a gap consultants need to fill.


Educate without condescension


Approach the facilities team as partners, not liabilities. Provide them with clear, practical guides for verifying work. Teach them what a secure installation should look like using checklists, photos, and hands-on sessions.


For example:

  • “A door controller in an unsecured room is like leaving your server rack in the hallway—anyone can bypass it.”

  • “Every camera angle should have a purpose: face capture, license plate read, motion corridor, etc.”


Deliver Tactical Training for Facilities Personnel


Offer a 1–2 hour “Physical Security 101” session during or after the assessment. Key topics should include:


  • The difference between safety and security (and where they overlap).

  • What makes a camera position effective.

  • What ‘tamper evident’ really means—and how to test it.

  • How to spot common installer shortcuts (e.g., unsealed conduits, accessible terminations, disabled alerts).


Make this training visual, interactive, and immediately relevant to their environment.


Provide Acceptance Testing Protocols


Most facilities teams will trust that an integrator did things right. Give them scripts to prove it.


Example acceptance tasks:


  • Swipe test every access-controlled door and ensure logs show up on the admin console within 5 seconds.

  • Power-cycle a random camera to confirm it comes back online and resumes recording.

  • Remove and reattach a sensor to validate the tamper alarm is working.

  • Use a handheld IR emitter to simulate intrusion and validate camera response.


These are simple, repeatable checks that even a non-security engineer can perform—and they build long-term confidence in the system.


Embed Security Ownership


Where possible, encourage clients to designate a facility security liaison—someone within the facilities team who becomes the go-to for physical security concerns. This person doesn’t need to be a full-time security pro, but they should be trained to spot red flags, ask the right questions, and coordinate with external experts when needed.


Document the Gaps and Fill Them Together


During assessments, don’t just document failures. Categorize them:


  • Lack of visibility (they didn’t know)

  • Process breakdown (they assumed someone else was checking it)

  • Skill mismatch (they didn’t have the background to interpret it)


Then offer a path forward that empowers, rather than blames.


RF-Based Remote Access: The Invisible Backdoor


One of the most overlooked vulnerabilities in perimeter security is the widespread use of consumer-grade RF-based remote controls. These are often used to open vehicle gates, pedestrian access doors, or even disable alarm zones. They’re cheap, easy to install, and seemingly convenient—but they also create massive security gaps that can be exploited with $100 worth of gear.


We’ve seen these systems controlling perimeter gates at critical infrastructure sites, corporate HQs, and even military logistics hubs. And most of them are using fixed-code RF protocols—meaning they transmit the same command signal every time a button is pressed.


Why this is a problem -- With tools like a HackRF, Flipper Zero, or other SDR (software-defined radio) devices, an attacker can sit outside the perimeter, record a valid RF signal, and replay it later to trigger the exact same action—usually without ever being seen.


Start with reconnaissance and testing


During assessments, sweep for active RF control signals in the 260–433 MHz bands. Use spectrum analysis tools like GQRX or SDR# to visualize signal traffic near vehicle gates or remote-controlled areas. Then:


  • Use RF replay tools to attempt capture and re-use of codes.

  • Document repeatability and any delay/timing dependencies.

  • Identify if the system uses rolling codes (dynamic) or fixed codes (static)—you can usually tell by replay success or signal fingerprinting.


Raise awareness with demonstrations


A powerful way to shift client mindset is to show them how easy it is to exploit. Capture a gate open signal from 50–100 feet away, wait 10 minutes, then replay the signal and drive in. That kind of visual demonstration cuts through abstract warnings and gets immediate buy-in.


Recommend secure RF alternatives


If RF control is necessary, insist on systems that use:


  • Rolling code protocols (e.g., KeeLoq or proprietary equivalents)

  • Encrypted challenge-response systems

  • Bluetooth Low Energy (BLE) or UWB with secure pairing and mutual authentication

  • Or ideally—no RF at all, and instead a hardwired or network-based access method with proper authentication and logging


Make sure these systems include:


  • Tamper detection

  • Replay protection

  • Unique user credentials (rather than shared remotes)


Implement RF monitoring


Encourage clients to monitor their RF spectrum periodically—especially around access points. Install dedicated SDR-based monitoring tools with automated anomaly detection (e.g., sudden bursts of repeated traffic, signal duplication). Even just quarterly sweeps can help detect cloning attempts or rogue devices.


Set policy boundaries


Organizations should clearly define:


  • Where RF is allowed

  • Who is allowed to use it

  • What frequency and control tech is authorized

  • How remotes are issued, revoked, and rotated


A lot of the risk comes from shadow IT—someone buys a cheap remote system for convenience, and suddenly the main warehouse is exposed to RF replay attacks. Control this through formal procurement and usage policies.


COMSEC: It’s Still Being Ignored (and How to Handle It on a Budget)


In high-risk or sensitive operational environments, secure communications should be a baseline control. Yet, we routinely find teams—ranging from tactical military units to private sector security operations—relying on off-the-shelf, civilian-grade radios with no encryption, fixed frequencies, and no user authentication or access control.


Ideally, every team would have access to mission-appropriate communications gear—AES-encrypted radios, frequency-hopping capabilities, and a trained COMSEC custodian overseeing proper key management. But we also know that reality doesn’t always line up with ideal conditions. Budget constraints, procurement bottlenecks, and lack of policy clarity often mean the only tools available are basic push-to-talk radios.


The question becomes: how do you secure communications when you're stuck with insecure equipment?


If you can upgrade to encrypted, government-grade systems—do it. But if you can’t, there are still several risk-reduction steps you can take.


Start by implementing channel discipline. Assign channels based on shift schedules and change them regularly using a pre-established rotation scheme. Don’t use the same channels day in and day out—that creates predictability. Instead, introduce a simple randomized selection process that can be briefed at the start of each operation.


Communication obfuscation is your next layer of defense. Use codewords and operational brevity codes that obscure the meaning of your transmissions. Avoid saying anything over the air that could give away key locations, team identities, or the nature of the task. This doesn’t require complex cryptography—just shared discipline and consistency. If “Zone Echo” always means the north perimeter and “Objective Tango” is the security vault, your team stays coordinated while eavesdroppers remain confused.


To further compartmentalize exposure, use split communications paths. Assign different radios or channels for command versus tactical team comms. This means that even if someone is listening to your traffic, they’ll only get half the picture unless they’re monitoring both paths.


Train your team not to transmit sensitive information over radio at all. Door codes, personal names, shift schedules, and decision-making conversations should never be shared over open channels. Instead, switch to secure messaging apps when more control is needed—tools like Signal or Threema can provide temporary, encrypted communication lines that are far more difficult to intercept.


Don’t just talk—listen. Set up SDR-based passive monitoring tools to keep an eye on your operational RF environment. Tools like HackRF, RTL-SDR, or BladeRF let you scan for anomalies like duplicate transmissions, signal interference, or unauthorized transmissions near your perimeter. You’re not just watching for eavesdropping—you’re preparing to detect jamming or spoofing before it becomes a crisis.


Even if encryption isn’t available, you can still build a COMSEC policy. Track which radios are issued to whom, inspect them regularly for tampering, ensure batteries are charged, and rotate devices periodically. Decommission any lost or stolen units immediately and remove their associated channels from use.


Just as important is training your people to recognize suspicious signal behavior. If someone hears echo, distortion, or delays on a known-clear channel, it could indicate interference or signal spoofing. Give the team a defined set of procedures for shifting to backup channels or secure messaging options—using code phrases like “Switch Red” to initiate fallback communication plans.


Civilian radios aren’t secure—but they can still be managed securely. That requires discipline, documentation, and a clear plan for every phase of use, from pre-mission checks to post-mission sanitization. You’re not just preventing compromise—you’re building resilience.


Cybersecurity ≠ Physical Security


There’s a growing trend—especially in red teaming and security consulting—where cybersecurity professionals start offering physical security advice. And while crossover between domains can be valuable, there’s a big difference between dabbling in physical security and actually understanding how to secure facilities against real-world threats.


The most common example? A cybersecurity consultant buys a Flipper Zero or Proxmark, learns how to clone badges, and suddenly markets themselves as a “physical security expert.” But cloning a 125 kHz badge doesn’t make someone an expert in perimeter design, layered defense, camera placement, or forced entry resistance.


Physical security is a dedicated field with its own doctrines, standards, and operational practices. Understanding electromagnetic lock wiring, selecting tamper-proof fasteners, or designing interlock vestibules isn’t something you pick up in a weekend. It requires field time, testing experience, and the ability to navigate complex operational and compliance environments.


So what do you do when you’re a client, or even a consultant, trying to separate the real experts from the hype?


Start by asking for depth, not just tools. Real physical security professionals understand the “why” behind design choices. They can explain how lighting conditions impact camera performance at different focal lengths, why sensor bypass timing matters, or how environmental factors like humidity and dust affect contact reliability.


Ask about specific experience. Have they ever assessed a facility under active threat conditions? Have they designed a security zone from scratch—not just exploited it? Can they explain how a surveillance system integrates with access control to trigger alerts, or how to audit power redundancy for intrusion alarms?


For consultants, the challenge is to stay in your lane—or expand it with intention. If you come from a cyber background and want to grow into physical security, that’s great—but that growth needs to be grounded in training and practical exposure. Learn from those who’ve done it at scale. Get hands-on with doors, sensors, gates, enclosures, and panel wiring. Go beyond exploit tools and study physical defense-in-depth principles.


As a client, be cautious of anyone who presents a physical vulnerability without also discussing how to assess it systemically or fix it holistically. For example, if someone clones a badge, the conversation shouldn’t stop at “the badge is insecure.” It should expand into:


  • How the badge technology fits into a broader authentication scheme

  • What compensating controls exist (e.g., mantraps, CCTV, alerting)

  • How the access logs correlate with the cloned entry attempt

  • Whether layered systems like biometric dual-auth are viable


One of the most dangerous myths in security today is the idea that physical and cyber threats can be solved with the same mindset. They can’t. The adversaries may overlap, but the defenses are very different—and often more complex in physical spaces, where human behavior, terrain, lighting, and hardware inconsistencies all factor in.


Security leaders should build teams that reflect both worlds. Cyber pros who can audit firmware and network topology. Physical experts who understand attack timelines and barrier layers. And if you’re lucky, find those rare few who have done both, and done them well.


Flawed Access Control Systems Still Being Installed


Despite decades of evidence, many facilities are still deploying outdated and insecure access control technologies—especially those based on legacy RFID systems. This includes the ubiquitous 125 kHz proximity cards that have been widely exploited for years.


The problem isn’t just the technology—it’s the buying process. Most clients don’t know what they’re actually purchasing. They trust the integrator’s recommendation, assume it’s modern and secure, and move on. The reality? Integrators often choose what’s easy to source, fast to install, or cheapest to maintain—not what’s actually resistant to modern threats.


Why does this matter?


Because most of these legacy cards can be cloned in under 60 seconds using devices like a Flipper Zero or Proxmark. No encryption, no mutual authentication, no logging that differentiates between a real user and a spoofed credential.


When these systems are deployed in office parks or storage facilities, it’s bad. But when they’re installed at critical infrastructure sites, healthcare facilities, or data centers—it’s negligent.


So what can you do as a consultant or facility manager?


Start with technology identification. During an assessment, ask for badge samples and run them through an RFID analysis tool. Determine the frequency, protocol, and whether the badge uses secure encryption. If you detect 125 kHz or early-generation 13.56 MHz (like legacy iCLASS), you’ve likely got a problem.


Then move to field testing. Conduct a controlled badge cloning test—if appropriate under the engagement scope. Demonstrate how easily a badge can be read and replayed from someone’s pocket or desk using gear that fits in your palm. Nothing shifts a client’s mindset faster than watching their “secure” badge open a door they didn’t authorize.


But don’t stop at exposure. Offer a migration plan. If budget allows, recommend moving to secure credential systems like HID iCLASS SE, Seos, or DESFire EV3. These support AES encryption, mutual authentication, and diversified keys—huge upgrades in security posture.

If immediate upgrades aren’t feasible, look at compensating controls:


  • Pair the badge reader with a keypad (two-factor entry) or better yet, biometric.

  • Implement tighter access logging and anomaly detection

  • Use tailgate detection systems to monitor for unauthorized entry behind valid badge users

  • Limit badge permissions by zone and time of day, minimizing damage from a cloned credential


Also, advise clients to establish stricter provisioning policies. Enforce badge expiration. Disable unused credentials promptly. Avoid shared access cards at all costs.


Finally, educate procurement teams. Create internal checklists or minimum technical requirements for access systems. This can prevent future installations of flawed tech by ensuring integrators are held to a security standard—not just a delivery deadline.


Access control is a critical first layer of facility defense. Treating it like a convenience feature instead of a security function leads to long-term risk and short-term exposure. Know what you're installing. Test what you already have. And don't be afraid to challenge the status quo when the status quo is insecure.


Surveillance: When IR Fails in Practice


A surprising number of facilities spend thousands—sometimes hundreds of thousands—on surveillance systems that don’t actually work when they’re needed most: in the dark, in bad weather, or during a critical incident.


Infrared (IR) cameras are often pitched as the solution to 24/7 coverage. In theory, IR gives you visibility in complete darkness. But in practice, we see installations all the time where IR fails because of bad placement, environmental interference, or a simple lack of post-installation validation.


Here’s what goes wrong


A camera might look great during the day but become a blurry mess at night. Reflective surfaces like wet pavement, windows, or metal siding bounce IR light directly into the lens, washing out the image. Sometimes the IR illuminator isn’t powerful enough to reach across the space it’s supposed to monitor—or it creates a hotspot that causes auto-exposure to dial down everything else in frame.


In other cases, the cameras aren’t installed with true zero-light conditions in mind. Integrators test them during dusk, not full dark. Or they rely on facility lighting that’s motion-triggered, meaning the system is blind until someone’s already there.


What should be done differently?


Start by conducting a nighttime validation walkthrough. Don’t take the vendor’s demo footage or daytime performance as proof of function. Physically walk the site at night. Trigger motion paths, walk across critical zones, and review recorded footage for clarity, subject identification, and exposure balance.


Pay attention to environmental elements. Are street lights bleeding into the IR field? Are tree branches causing motion false positives? Is the IR LED reflecting off nearby signage or vehicle glass? These are subtle but critical issues that don’t show up on spec sheets.


Also check camera positioning. IR-supported cameras should be placed at an angle that avoids direct line-of-sight to reflective surfaces. Use downward-facing angles where possible, and avoid placing IR units behind glass—especially tinted or double-pane.


You should also check whether the system uses hardware-based or software-assisted image enhancement. Hardware solutions (e.g., low-light CMOS sensors with wide dynamic range) tend to produce better consistent results, while software solutions can falter under variable lighting conditions or degrade quickly in post-processing.


Another common issue is lighting conflict. For example, when IR cameras are installed near poorly timed floodlights or motion-sensor lighting, the sudden shift between lighting modes can cause the camera to re-calibrate and miss several seconds of video. During a breach, that’s enough time to lose a face, a license plate, or an action that explains intent.


Finally, test your video management system (VMS). Can you search for IR-triggered footage without spending 30 minutes scrubbing manually? Does it log illumination shifts or scene changes? Can it alert you when a camera loses its IR range or stops recording due to IR failure?


If you’re advising a client, explain that IR performance isn’t “set and forget.” It needs to be validated under operational conditions—and periodically revalidated as seasons change, foliage shifts, and lighting sources evolve.


Surveillance is supposed to help you see. Don’t let your cameras go blind the moment it matters most.


Security Near Water Is a Different Game


Deploying physical security controls near or on water—marinas, coastal facilities, ports, waterfront warehouses—is an entirely different challenge than securing land-based environments. Yet time and again, we see standard security equipment installed as if it’s being used in a parking lot in Phoenix rather than 20 feet from a saltwater inlet.


The result? Corroded cameras, water-damaged sensors, shorted-out wiring, and critical systems that degrade or fail completely—often without anyone noticing until it's too late.


Many integrators and facility managers underestimate just how aggressive water-based environments are. Even if the hardware is technically “weather-resistant,” that doesn’t mean it’s suited for prolonged exposure to humidity, salt air, constant mist, or marine-grade UV. And even less so if it’s near brackish water or areas prone to storm surge.


Standard aluminum camera housings, unsealed conduit runs, or rust-prone mounting brackets will all start to fail within months of installation. Once corrosion sets in, connectors become unreliable, voltage drops increase, and the system becomes a liability rather than a line of defense.


What to do differently


If you’re working in or advising on a marine environment, start with marine-rated components. Look for IP68 or NEMA 6-rated housings, which are fully submersible and dust-tight. Use stainless steel hardware (grade 316 or higher) for all mounts, brackets, and fasteners. Anything galvanized or powder-coated is a temporary fix at best.


Next, seal your terminations. All cable junctions, especially Ethernet or power terminations, should be sealed with dielectric gel, rubberized boots, or marine-grade heat shrink tubing. Never leave cable runs exposed to condensation paths—especially under docks, walkways, or in metal enclosures that experience temperature swings.


Dehumidify your enclosures. Every control box near water should include a moisture absorber or silica pack, and you should consider active dehumidification for sensitive equipment bays. Use vents or fans that support breathable but moisture-resistant air exchange.


Rethink your lighting. Light fixtures exposed to saltwater fog or sea spray need special coatings and sealed optics. Choose warm-spectrum, low-glare options that reduce reflective haze on wet surfaces—especially near docks or bulkheads where visibility can be critical.


You’ll also want to test environmental survivability. Simulate conditions: spray enclosures with water, measure voltage drop during high humidity, and inspect exposed metal for signs of premature wear. Review footage for fog interference, water beading, or condensation on lenses.


And don’t forget power protection. Install surge protection rated for marine applications, and physically isolate critical power runs from bulkhead mounts where water or splash exposure could occur.


Finally, monitor your systems proactively. Environmental monitoring sensors should be included inside enclosures to detect high humidity or temperature shifts. Cameras should be reviewed monthly for clarity loss due to lens degradation or corrosion.


Water eats hardware. The only way to maintain operational security near water is to respect the environment and engineer for it from the start.


Testing and Validation: Everyone’s Scared, and That’s a Problem


Ask most organizations about their physical security testing program, and you’ll get some variation of the same response: “We did a test a few years ago, but we haven’t done much since.” Ask why, and the reasons come quickly—concern about operational disruption, bad experiences with overzealous testers, fear of media leaks, or just plain uncertainty about how to do it right.


Security testing—whether red team, blue team, or physical penetration—is supposed to build confidence, expose blind spots, and improve response. But instead, it’s often treated like a legal risk or PR hazard. That mindset is costing organizations more than they realize.


The real issue isn’t that testing is too dangerous. It’s that it’s often done without clear boundaries or purpose.


We’ve seen engagements where testers were given verbal permission to “do what you need to do,” only to have the client panic when someone bypassed a main entrance or tripped an alarm. We’ve also seen the opposite—engagements so tightly constrained that the only thing tested was whether someone could walk in with a clipboard.


So how do you fix this? Start by writing real rules of engagement.


A solid ROE document is specific, unambiguous, and agreed upon by stakeholders before anything begins. It defines:


  • What’s in scope and out of scope (e.g., which buildings, times of day, equipment)

  • What is considered “fair play” (e.g., lockpicking, badge cloning, pretexting)

  • What constitutes an unacceptable impact (e.g., disabling life safety systems, disrupting operations)

  • How escalation will be handled if something goes sideways


It also defines how success is measured. Are you testing detection, response time, technical control bypasses, or the clarity of access logs? Be honest about what you're trying to learn—and don’t treat testing as a contest.


Communicate. Constantly


Testing should never be a surprise to your operational team. Yes, surprise is part of simulation, but someone—usually a senior leader or facilities owner—must be looped in and ready to intervene if needed. Everyone must understand what’s being tested, what to expect if it goes wrong, and what support looks like if it does.


Don’t just test for headlines


We've seen some teams so focused on “capturing the flag” that they fail to collect valuable data. A good test logs timestamps, sensor performance, response actions, access logs, and narrative details. It's not just about getting in—it's about what that tells you about detection and resilience.


Build reporting that supports action


At the end of an engagement, your report should do more than say “we got in.” It should map findings to specific controls or failures, outline a fix roadmap, and offer training or design recommendations. Bonus points if the testers stick around to help implement changes.


If you’re a security leader hesitant to allow testing, start small. Scope a limited engagement. Test one perimeter access point or one layer of surveillance. Build confidence with targeted, low-impact evaluations and scale from there.


If you’re a tester, remember that every engagement is an audition for the next one. Go too far, cause an outage, or operate without discipline—and the client won’t just pull the plug. They’ll stop testing altogether, and that makes everyone less secure.


Testing isn’t a liability. Done right, it’s your best tool for building trust in your controls. Just give it the structure it needs to succeed.


From Sunburn to Signal Loss -- What Stuck With Us

The field teaches in a way books never can. Every engagement reinforces the need for realistic threat modeling, system validation, and team readiness—because the adversary doesn’t care about your budget, your procurement delays, or your assumptions.

Whether you’re dealing with integrator-driven designs, questionable access controls, or the uncomfortable realization that your radios can be intercepted by a teenager with an SDR, the fundamentals remain the same: test your assumptions, verify your installations, and prepare your people.


Physical security isn’t just about hardening doors and buying better cameras. It’s about building an operational posture that can absorb shocks, adapt under stress, and expose weaknesses before someone else does.


If your team needs help building that posture—through assessments, testing, or training—we’re ready. And if you're already in the field, keep pushing. The work is tough, but the mission matters.


Ready to get serious about testing your facility or training your team? Let’s talk. We’ll help you find the gaps before someone else does.


📅 Book time with us or reach out directly at keith@redcellsecurity.org


-Keith Pachulski

Red Cell Security, LLC



 
 
 

Comments

© 2025 by Red Cell Security, LLC.

bottom of page