PenEx

A Penetration Exercise (PenEx) is a safety and security exercise for testing risk and vulnerabilities to property, employees, guests, and/or assets. There are typically three levels, low, medium, and high. Penetration Exercises (PenEx) offer a comprehensive method to evaluate and validate your current safety and security protocols. These exercises also answer the question of how effective your systems and employee training are in a live scenario against a trained professional. Simply having policies or procedures does not mean they will work as designed. Additionally, the security training provided for your staff needs to be tested to ensure all employees act in conjunction with the procedures they’ve learned.
A PenEx does not have to be a high-level scenario such as an "active aggressor" event; it can effectively test safety and security protocols during regular activities such as preventing an outsider from “piggy backing” into the building. These exercises are controlled and extremely useful for identifying risks and vulnerabilities that may have been missed.

Identify potential entry points for attackers to exploit.

Fix vulnerabilities before they can be used in an attack.

Find ways to keep sensitive data secure and private.

Low:

The organization is informed of the date(s) and location(s) the exercise will be conducted. Once staff discovers a tactic to be suspicious, and proper security protocols are initiated, that portion of the exercise stops. This level may also include participation by an organizational representative to accomplish the goals and objectives of the PenEx. The primary goals for a low level include:

PenEx duration is no more than two days.
*OSINT techniques for identifying organizational risk and vulnerabilities.
Access into restricted areas using social engineering.
Access to sensitive information using social engineering.
No tactics or techniques will be utilized that instill fear or panic, suggesting a law enforcement response.

*Open-Source Intelligence (OSINT) refers to the practice of gathering and analyzing publicly available information from sources like websites, social media, and public records to gain actionable insights, often used in cybersecurity, law enforcement, and competitive intelligence to assess threats and make informed decisions without needing intrusive methods.

Medium:

The dates of the exercise are revealed; however, the location(s) are not. There is no participation in the PenEx by an organizational representative. Once staff discovers a tactic to be suspicious, and proper security protocols are initiated, that portion of the exercise stops. The primary goals for a medium level include:

PenEx duration is one to two weeks long.
OSINT+ for specific employees.
OSINT techniques for identifying organizational risk and vulnerabilities.
Access into restricted areas using social engineering.
Access to sensitive information using social engineering.
Manipulating doors to enter restricted areas.

High:

The exercises exceed two weeks and up to one month. Dates and times for the exercises are not disclosed. Repeated attempts to gain access to buildings and obtain information are made over the course of time allocated for the PenEx. The primary goals include:

PenEx duration is two weeks and up to one month long.
OSINT+ for specific employees.
OSINT techniques for identifying organizational risk and vulnerabilities.
Access into restricted areas using social engineering.
Access to sensitive information using social engineering.
Manipulating doors to enter restricted areas.
Preparation calls and emails for the scenarios.
Light and brief interruption of daily operations until the problem is resolved.

Contact us today to sign up for PenEx

Don't forget to ask us about our other offers and services like Facility Threat Assessments, Responding to an Active Aggressor, Safety Team Certifications, and more.