Hatton Garden 2015: When Criminals Simply Walked Through the Wall
Imagine a high-security vault in London. Meter-thick walls, state-of-the-art alarm systems, and a vault considered impregnable. No laser beams like in Mission Impossible, no insiders. Just an elevator shaft, a heavy drill—and a long Easter weekend.
In the infamous Hatton Garden Safe Deposit Burglary, the gang climbed down an elevator shaft and used heavy machinery to drill through 50 centimeters of reinforced concrete. They didn't go through the door. They went through the structure—following the path of least resistance.
The total value stolen: an estimated £14 million. The actual vulnerability: not the lock, not the camera, not the alarm—but the collective assumption that the elevator shaft was not an attack vector.
In my audits, I see exactly this pattern time and again: Companies build fortresses at the front and leave the proverbial back door—on the roof, in the basement, in the ceiling void—wide open.
Security Theater: Why Visible Security is Often None at All
Fences, turnstiles, and surveillance cameras often have a purely psychological effect. In security research, this is called "Security Theater"—measures that increase the feeling of security without significantly reducing the actual attack surface. The term was popularized by cryptographer and security researcher Bruce Schneier.
The reality in practice:
- Fences deter opportunistic thieves—not a motivated attacker with a ladder and 15 minutes.
- Cameras usually document the burglary for forensics rather than preventing it. No alarm stops an attacker who is already inside.
- Security Personnel patrol where it is convenient and well-lit. The real vulnerabilities lie in the blind spots—on the roof, in the technical shaft, in the basement hallway.
An attacker doesn't think in "secured entrances." They think in vectors: Where is the gap between what is guarded and what needs to be guarded?
Real Attack Vectors: Where We Actually Breach During Physical Pentests
In a Physical Pentest, we don't look for the most spectacular way—we look for the most efficient. Almost always, it's a combination of technical failure, hardware flaws, and human psychology. Here are the four most common vectors we exploit in practice:
Tailgating: The Weapon of Politeness
The easiest way through a secured door is for someone else to open it. No tools, no tech, no preparation—just a friendly demeanor and the exploitation of a deep-seated social norm: we hold doors for others. In buildings with high employee turnover, delivery traffic, or poorly visible badge readers, tailgating is by far the most common successful attack vector.
Latch Shimming: The 5-Second Gap
Many doors are closed but not actively deadbolted. A poorly adjusted latch or a gap between the door and frame is enough to push back the bolt using a thin shim tool. For a trained pentester, this takes under five seconds. Common findings in audits: side exits, server rooms, and connecting doors between tenant units.
The Vertical Plane: Roofs, Shafts, HVAC
While the main entrance is secured with triple-check controls, the roof is often the ultimate blind spot. Maintenance hatches for AC technicians, ventilation shafts, and cable conduits are often secured with a simple padlock—or not at all. Once on the roof, an attacker often has direct access to technical rooms housing network infrastructure and access control controllers.
Suspended Ceilings: The Hacker Highway
In almost every modern office building, partition walls end at the visible ceiling—not the structural slab. If you lift a ceiling tile, you discover you can crawl horizontally across the entire floor: over every biometrically secured door, over every badge reader, over every motion sensor in the hallway. This is the classic void bypass—and it works in the vast majority of buildings we audit.
A Physical Pentest doesn't just check hardware. It checks the three-dimensional puzzle of your building: What is behind the wall? What is above the ceiling? What is under the floor? And where did the last maintenance company stop cleaning up?
What We Systematically Test During a Pentest
Physical Resilience is Now Mandatory – The CER Directive
Physical security has long been the stepchild of compliance discussions. NIS2 dominates the headlines, GDPR the data protection departments. But with the CER Directive (Critical Entities Resilience Directive, EU 2022/2557), the EU has shifted the paradigm: physical resilience is no longer a recommendation for critical entities—it is a legally binding obligation.
NIS2 protects your data and systems. CER protects your building, your infrastructure, and your operational continuity—even against physical sabotage, burglary, and technical failure. Both directives are intertwined.
| CER Requirement | Concrete Implication | Relevant Audit Area | Priority |
|---|---|---|---|
| Risk Analysis of Physical Threats | Proof that physical hazards for all locations have been systematically identified and assessed | Perimeter, Access Control, Shafts | MANDATORY |
| Protection of Critical Infrastructure | Physical protection measures must be documented and regularly tested | Server Rooms, Energy, Network Infrastructure | MANDATORY |
| Business Continuity for Physical Attacks | Critical services must be maintained even in the event of physical sabotage | Redundancy, Segmentation, Emergency Access | MANDATORY |
| Delay Before Detection | Shafts, ceilings, and doors must demonstrably delay intruders – not just stop them | Voids, Vertical Plane, Door Security | RECOMMENDED |
| Incident Reporting | Physical security incidents must be reported and documented | Processes, Logging, Camera Archiving | RECOMMENDED |
In this context, a Physical Pentest is not just a security tool—it is the sharpest instrument for fulfilling CER compliance obligations. A structured audit report documents identified vulnerabilities, assesses their risk, and provides actionable recommendations—exactly the format expected by authorities and oversight bodies.
What Needs to Be Done Now
Physical security is not a one-time project. It is a continuous process—because buildings change, employees leave, and attackers learn. Here are the measures that make the biggest difference in our audits:
- Holistic Building Envelope Analysis: Commission a complete three-dimensional inventory: floor, walls, ceiling, shafts, roof. Any opening larger than 30 cm that is not monitored is a potential vector.
- Upgrade Door Security: Check all critical doors: Where are the hinges? Is the latch actively locked or just clicked in? Are there sufficient strike plates? Shimming-resistant latches are a cost-effective, high-impact measure.
- Institutionalize Tailgating Policy: It’s not enough to train employees. Processes must empower them to challenge unknown individuals—without social cost. Clear signage, mantraps in critical areas, and a culture where questioning is normal.
- Include Voids in Security Planning: During the next renovation, ensure that partition walls extend to the structural slab—at least in secure areas. Where this is not possible: vibration sensors in the ceiling void.
- Inventory Roof Accesses and Shafts: Create a full list of all vertical access points and their security status. Maintenance firms, HVAC technicians, and cleaning services are often unwitting vectors for poor security status.
- Commission Physical Pentesting for CER Proof: A structured audit doesn't just reveal weaknesses—it provides the documentation you need for authorities and insurance providers. Let us find your blind spots before someone else does.
The most expensive firewall is useless if I'm sitting in your server room with a laptop—because I came through the air conditioning or a nice colleague held the door open for me. Physical security starts at the ground level and is decided by the sum of small oversights.
Conclusion: Your Building is a Three-Dimensional Target
Hatton Garden was not a stroke of genius. It was the consistent exploitation of a gap that anyone could have seen if they had viewed their building through the eyes of an attacker. That perspective is exactly what a Physical Pentest provides.
The CER Directive makes physical resilience a legal requirement for critical entities. But even if you don't fall under CER: the question isn't whether physical vulnerabilities exist in your building. The question is whether you know them—or if someone else finds them first.
Have You Looked at Your Building Through the Eyes of an Intruder?
We find your blind spots—systematically, documented, and CER-compliant.
Request Physical Pentest →