Physical-Led Adversary Simulation

We get in.
So others can't.

BlackTrace Operations tests physical security the way real adversaries operate—researching, observing, and gaining access. We show what your controls actually stop, not just what they’re designed to.

Discuss an engagement Our services
Approach
Physical-first
We start where attackers start—outside your perimeter, using realistic access paths
Reporting
Evidence-led
Every finding is documented, evidence-backed, and prioritised by real-world impact.
Output
Actionable
Clear fixes, clear owners: what to change, why it matters, and how it reduces risk.
Delivery
10 Business Days
Report delivered within 10 business days of onsite completion.

Services

Three ways we test your exposure

Intelligence-led, discreet, and tailored to each organisation's environment and objectives.

01

Physical Intrusion Testing

We identify realistic access paths into facilities and restricted areas—and show what that access enables.

View service
02

Social Engineering & Human Access

We test how trust, routine, and social pressure can bypass controls, ethically and without singling out individuals.

View service
03

Adversary Simulation

End-to-end exercise: from physical foothold to objective validation, showing how weaknesses chain into material impact.

View service
2-3 wks
Typical engagement duration
5 days
Typical onsite window
10 days
Report delivery after onsite
Clear ROE
Agreed before testing begins

The difference

Most organisations test
whether controls exist.
BlackTrace tests whether
they prevent impact.

Documented controls and real-world behaviour are often very different. We operate like a determined adversary—finding gaps between policy and practice, then translating them into prioritised actions that reduce real risk.

How we work Talk to us

How we work

A structured method, not a checkbox exercise

Every engagement is designed around how a determined adversary operates—run with clear governance, proportionate methods, and tight control.

Full approach
01

Scoping & Rules of Engagement

Objectives, constraints, stop conditions, escalation routes, and named contacts — agreed before anything else.

02

OSINT & Planning

We assess what an attacker can learn from public sources before arriving on site.

03

Reconnaissance

We observe routines, access patterns, and the gap between documented process and real behaviour.

04

Controlled Access Attempts

Objective-driven testing under the agreed RoE. We validate what access enables—not just that access is possible.

05

Evidence, Reporting & Debrief

Attack path narrative, prioritised remediation, executive summary, and leadership debrief.

Who we work with

Where this works best

Most effective where physical presence and human access create genuine, material risk.

FS

Financial Services

Banks, insurers, and asset managers with branches, data centres, and trading floors where physical controls need real-world validation.

CNI

Critical National Infrastructure

Energy, utilities, and operational technology environments where physical access has direct operational consequences.

LS

Life Sciences & Pharma

Research facilities, manufacturing sites, and supply chains where intellectual property and compliance are high stakes.

CS

Corporate & Professional Services

Organisations with multiple offices, sensitive information, or where insider-like access is a credible threat.

HS

High-Security Facilities

Secure storage, data centres, colocation facilities, and sites requiring robust physical security validation.

GOV

Government & Public Sector

Public bodies and agencies where physical security controls need to be validated against realistic threat scenarios.

Ready to start

Understand your real-world exposure.

Before someone else does.

Contact us Common questions