20 minutes. One drone. No alarm.
It was a Tuesday morning when the head of site security at a mid-sized pharmaceutical company in Bavaria first heard about the incident. Not through an internal report – through a phone call from a neighbour who had been eating breakfast on his terrace and noticed something odd.
06:47. A DJI Mavic 3 – retail price €1,700 – launches from a car park 400 metres away. The pilot is sitting in an unremarkable van. For twenty minutes, the drone maps the entire site. Thermal camera on board: it shows in real time which parts of the building are heated – and where things are suspiciously cold despite the early shift being under way.
The server room glows as a bright patch. The rooftop ventilation shafts are logged with GPS coordinates. The camera team at the main gate is analysed for angles and blind spots. The delivery area at the back left: no camera coverage, no visible motion detectors, fence in poor condition.
07:09. The drone lands. The van leaves the car park. No alarm has triggered. No employee has noticed anything. The company does not even know the flyover happened.
Three weeks later, the company reports a break-in. No forced entry. No damage to doors or windows. The intrusion path leads through exactly the delivery zone that had appeared as a blind spot on the thermal camera that Tuesday morning.
This incident is not an isolated case. It is a pattern – and it describes precisely what well-organised attackers use today as standard recon preparation before taking any physical step. Drones are not a future scenario. They are the tool of the present.
Anyone who believes drones are only a problem for airports and high-security facilities has not yet internalised the current threat reality. A consumer UAV for under €2,000 delivers information today that a human recon team would previously have needed days to gather – in twenty minutes, from a safe distance, without crossing a single threshold.
What an attacker sees from 80 metres up – and what is not on your site plan
Classic reconnaissance – whether digital via OSINT or physical on the ground – has one decisive blind spot: it delivers a ground-level perspective. Satellite data is outdated and too coarse for operational planning. Google Street View shows facades, but not rooftop infrastructure, camera angles or ventilation architecture.
A drone closes exactly that gap. It delivers a perspective found in no planning permit, no site plan and no security documentation: the tactical bird's-eye view in real time.
What an attacker sees from up there:
- Camera coverage and dead zones – Where are cameras positioned, which direction do they face, and where do geometrically unavoidable gaps open up between two camera sectors?
- Rooftop infrastructure – Ventilation shafts, skylights, maintenance hatches, roof hatches, air conditioning units as indicators of heat-generating systems below.
- Delivery zones and secondary entrances – Areas that employees barely notice in day-to-day operations but are ideal for a controlled approach.
- Condition of perimeter elements – Fence gaps, damaged sections, trees as climbing aids, scaffolding as temporary access routes.
- Personnel movements and routines – When do delivery vehicles arrive? When is the delivery area unmanned? Where do employees smoke on their break?
- Thermal signatures – With a thermal camera, heated areas, server rooms, network nodes and even personnel movement behind windows become visible.
Passive, active, combined – the four phases of drone recon
A well-prepared attacker does not use drones as the first step – but the third. Before that comes digital remote reconnaissance via OSINT – LinkedIn for organisational structures, Shodan for exposed systems, Google Earth for layout orientation. The drone then fills the gaps no satellite can close.
What becomes possible with this information
The collected drone data alone is not an attack. It is the preparation that makes an attack precise – and therefore successful. Combined with other vectors – social engineering, badge cloning, REX sensor manipulation – it forms a complete attack chain.
What is permitted – and what makes a drone flyover a criminal offence?
Drone flights over corporate sites in Germany operate within a complex framework of aviation law, data protection law and criminal law. The key question for affected organisations: what can they actually hold an attacker legally accountable for – and what is not even illegal?
| Situation | Legal assessment | Status |
|---|---|---|
| Flyover above 120 m without camera | Generally permissible in uncontrolled airspace (SERA.6001), provided no operating authorisation is required | Legal |
| Flyover with camera over private property | Possible violation of property rights; image recordings fall under § 201a StGB (violation of the most personal sphere) if individuals are captured; GDPR-relevant upon storage | Grey area |
| Flyover with thermal camera over buildings | Technically no different category from optical, but thermal imagery of interiors may be classified as unlawful surveillance; no explicit Federal Court of Justice ruling | Unclear |
| Flyover over Critical Infrastructure (KRITIS) | § 15 LuftSiG: overflight ban over certain KRITIS objects; violation is a regulatory offence or criminal offence depending on classification | Prohibited |
| Drone flight as part of a break-in | Preparatory act for burglary (§ 123, § 243 StGB); in practice difficult to prove as long as no access has occurred | Evidentiary problem |
| Authorised physical pentest with drone | Fully legal with written engagement agreement and defined Rules of Engagement; aviation law authorisation may additionally be required | Legal with engagement |
The uncomfortable truth: an attacker who has flown over your site from 100 metres with an optical camera has in most cases not committed a directly punishable act – provided no individuals were filmed and the site is not explicitly designated as a restricted area. The consequence is clear: technical prevention must work, because criminal law alone does not provide adequate protection.
What applies during an authorised physical pentest?
Within the scope of a physical pentest with a written engagement agreement and defined Rules of Engagement, drone flyovers are a legitimate and valuable tool. However, the aviation law provisions of EU Drone Regulation (EU 2019/947) additionally apply: depending on weight class and operating area, a special operating authorisation from the aviation authority may be required. This overhead is manageable in practice – but must be explicitly addressed in the scoping conversation.
What you can do – and what does not work
Drone countermeasures are one of the most widely misunderstood topics in physical security. Many measures that seem intuitively sensible are in Germany either illegal, ineffective or both. An honest assessment follows.
What does not work or is not permitted
Shooting down drones, bringing them down via frequency jammers, or taking control of them via hacking – all of these are illegal in Germany in a private context. Nets or lasers for active interception are also legally problematic outside of authorised operations. These measures are reserved for state authorities and certain security agencies.
The goal of drone countermeasures for an organisation is not to bring drones out of the sky. The goal is to minimise the tactical information gain of an overflying attacker – through architecture, through shielding and through processes that render a drone recon flyover effectively useless.
What actually helps
How we integrate drone recon into our physical assessments
A physical pentest that does not account for drones is not complete in 2026. We use UAV-based reconnaissance as a standard component of our physical assessments – when the client requests it and when the legal and aviation law framework permits it.
What emerges is not a hobbyist video. It is a tactical site report:
- Annotated aerial image with mapped camera sectors, identified dead zones and marked access points
- Thermal image with all heat anomalies indicating critical infrastructure marked up
- Risk prioritisation: which blind spot is most critical in combination with other factors?
- Countermeasure recommendations with concrete implementation guidance
Combined with OSINT analysis, social engineering tests and physical access attempts, this creates a complete picture of how far a real attacker would get with the gathered intelligence – and where the critical gaps lie.
The most valuable finding from a drone-supported physical pentest is usually not the gap you expected. It is the blind spot that years of ground-level perspective have simply made invisible.
Conclusion: The threat no longer comes only from the ground
Physical security traditionally thinks in two dimensions: who can get through which door? Drones have added a third dimension to that question. An attacker operating professionally today does not start at the fence – they start 100 metres in the air, from a safe distance, with a device available in any electronics store.
The consequence is not panic, but a shift in perspective: anyone who has never viewed their own security architecture from a bird's-eye view does not know what an attacker sees. That is a resolvable knowledge gap – and a physical pentest with a drone component is the most direct way to close it.
Further reading: how attackers build an attack profile through digital research before the first drone ever takes off is covered in our post on Remote Recon to Physical Breach. What happens once an attacker is physically on site is examined in the posts on REX sensor vulnerabilities and access control systems.
What does your site look like from above?
We conduct UAV-supported reconnaissance as part of our physical pentests – with documented findings and concrete recommendations. Free initial call, no commitment.
Request a Physical Assessment →