He was registered as a visitor at 9:30. He was in the server room by 9:47.
A logistics group headquartered in the Ruhr region. Sixteen sites, three thousand employees, a data centre on the ground floor of the main building. Physical security is solid on paper: access cards for all employees, a badge reader at the server room, a staffed reception desk with security personnel.
What is not on paper: reception prints visitor badges without photos. The escort requirement officially exists – but is not enforced in day-to-day operations. The visitor log is an Excel spreadsheet that nobody analyses. And once someone is inside, they can move freely throughout the building as long as they look like they know where they are going.
As part of an authorised physical pentest, our tester called ahead – posing as a representative of a fictitious IT service provider whose name he had previously identified on LinkedIn as an actual partner of the company. Appointment: 9:30, ostensibly for maintenance of the UPS system.
// Reconstructed sequence of events · authorised pentest · anonymised
9:28. Reception. The name is looked up in the Excel sheet – and found, because the tester had registered himself two days earlier via an email that looked like it came from the service provider. The receptionist prints a badge: first name, last name, date. No photo. No ID requested.
9:31. "Do you know where the UPS room is?" – "Somewhere in the basement, I think. Let me just call." Nobody picks up. "Try the ground floor, back left." No escort. No second check.
9:47. The tester is standing outside the server room. The badge reader shows green – because an employee had come out moments earlier and the door had not fully latched. Tailgating, without anyone noticing.
9:52. Photo of the rack. Photo of the patch panel. Server serial numbers. End of test. Total time from entering the building to critical infrastructure: 24 minutes.
The visitor registration system was not the only problem. But it was the entry point. Without it, no appointment would have been made, no badge printed, no door opened.
Visitor management is designed as a service process in most organisations – friendly, frictionless, hospitable. That is precisely the problem. What is intended as convenience is exploitable as an attack path.
Why visitor registration systematically fails
Visitor management processes were designed for a specific purpose: receive guests, register them, direct them onward. They were not designed to identify attackers. That is not a criticism of the people at reception – it is a structural design flaw.
The reality in most mid-sized and large organisations looks like this: the receptionist is trained to be polite. The process is designed to minimise friction. And the attacker knows exactly how to use that politeness and that frictionlessness as tools.
Visitor management is in most organisations the only access point where an attacker can appear legitimate without being legitimate. At every other point, they need technical means. Here, a name, a pretext and a friendly smile are enough.
The seven structural weaknesses
In our physical pentests, we encounter the same patterns repeatedly – regardless of company size or sector:
- No ID requirement: Visitors are registered based on the name they provide themselves. No verification takes place.
- Pre-registration without verification: Anyone who registers themselves – by email, phone or web form – is treated as a legitimate guest.
- Badges without photos: A badge with a name and date is easy to forge and does not uniquely identify the bearer.
- Escort requirement without enforcement: The policy exists, but nobody checks whether the visitor is actually accompanied.
- Logs without analysis: Visitor lists are maintained, but never examined for anomalies – repeat visits by the same person, unusual times, suspicious stated purposes.
- Time overruns go unnoticed: A visitor registered for one hour who stays for three is never flagged.
- Zone access without enforcement: The badge officially authorises certain areas – but nobody checks whether the visitor actually stays there.
The anatomy of a visitor management attack
An attack via visitor management is not accidental and not opportunistic. It follows structured preparation – and exploits exactly the gaps the process itself leaves open. The kill chain begins days before the actual visit.
Phase 1 – OSINT: The attack begins before the visit
Before an attacker even picks up the phone, they spend hours on research. LinkedIn provides the names of facility managers and IT service providers. The company website often names partner organisations. Glassdoor reveals which receptionist is currently on duty. And a simple Google dork on the company's cloud-based visitor management provider sometimes surfaces already registered visitors:
site:envoy.com "[company name]" or site:lobbytrack.com "[location]"
The result of this research is a pretext: a cover story that fits the target company's environment. Not a generic "IT technician" – but an employee of the actual maintenance contractor, who genuinely exists and whose name is findable on LinkedIn.
More on the OSINT phase and how attackers piece together digital traces into a complete attack profile is covered in our post on Remote Recon to Physical Breach.
Phase 2 – Pre-registration as a trust anchor
A pre-registration by email serves a psychological function: it legitimises. Someone who has an appointment is on the list – and anyone on the list is waved through without much scrutiny. The attacker exploits this dynamic deliberately.
The pre-registration comes from an email address that closely resembles the real contractor: maintenance@acme-service.com instead of maintenance@acme-services.com. Or it comes from a freshly registered domain that appears on no blacklist. Often a simple phone call to reception is enough – the appointment is noted by hand, and nobody checks who called.
A pre-registration is not a security feature. It is a convenience feature that attackers deliberately exploit as a trust anchor. Someone with an appointment does not need to show ID – that is the implicit logic embedded in most reception processes.
Phase 3 – At reception: Politeness as a weapon
Reception is the most critical point – and simultaneously the most poorly secured. The people there are trained to welcome guests, not to interrogate them. An attacker who projects confidence, gives a plausible name and tells a coherent story will be let through in the vast majority of cases.
What helps:
- Uniform or workwear bearing the supposed contractor's logo – inexpensive to obtain, high impact.
- Toolbox or laptop bag as visual context: "I'm here to work, not to steal."
- Name dropping: "I'm here for Mr Miller in IT" – the name is on LinkedIn, and nobody at reception checks whether Mr Miller actually arranged a meeting.
- Feigning time pressure: "I need to be back by 11, the next job is waiting." Time pressure reduces scrutiny.
All of these techniques fall under the heading of social engineering – and they work not because of technical vulnerabilities, but because of fundamental human reflexes: helpfulness, politeness, willingness to trust.
Phase 4 – Inside the building: How far does someone actually get?
Once a badge is in hand, the hardest obstacle has been overcome. Inside the building, there are rarely effective barriers for a determined attacker. The escort requirement is not enforced. Employees hold doors open – out of politeness. And a visitor badge looks visually almost identical to an employee badge, especially when printed in the same colour.
It is instructive to observe what happens in this phase when the attacker encounters a secured access system. Not infrequently, a friendly "Could you just open up? I've been waiting a while and my contact isn't answering" does the job. Or they simply wait until someone opens the door – and follow through: classic tailgating, undetectable by any technical system.
Phase 5 – The exit: The underestimated risk
The exit is at least as important as the entry. An attacker leaving the building with a USB drive full of data needs to be just as inconspicuous going out as coming in. In most cases this is trivial: the badge is handed back at reception – or not, because in many organisations nobody checks whether all visitors have actually left the building.
No exit control also means: an attacker could theoretically remain in the building, operate outside business hours and reappear the next morning as an "early visitor" – if the log is never audited.
Attack scenarios: What is possible with a visitor badge
Vulnerability matrix: Where things break down
| Vulnerability | How attackers exploit it | Risk | Fixable? |
|---|---|---|---|
| No ID requirement | Any identity can be assumed, no verification effort required | HIGH | Yes |
| Pre-registration without verification | Fake appointment via email or phone, no callback to named contact | HIGH | Yes |
| Badge without photo | Easy to forge, bearer cannot be uniquely identified | HIGH | Yes |
| Escort requirement without enforcement | Free movement after the first door, no ongoing oversight | HIGH | Partly |
| Log without analysis | Repeat visits, anomalies and time overruns go unnoticed | MEDIUM | Yes |
| No exit control | Remaining in the building possible, badge stays with attacker | MEDIUM | Yes |
| Cloud VMS publicly indexed | Visitor lists and employee names retrievable via Google dork | MEDIUM | Yes |
| No training for reception staff | Social engineering meets an unprepared first line of defence | MEDIUM | Yes |
What a secure visitor process looks like
The good news: most of these vulnerabilities are addressable through organisational measures – without significant technical investment. The visitor process does not need to be hostile. It needs to be structured.
Immediate actions (quick wins)
- Introduce ID verification: Every visitor shows a photo ID when checking in. The name is cross-checked. No ID – no badge. This is not distrust, it is standard practice.
- Photo badges: Every visitor badge includes a photo taken at check-in. This makes the badge person-specific and non-transferable.
- Callback for pre-registrations: For unknown contractors or first-time visitors: call back via the company's publicly known number – not the number provided. Verifies the appointment in 30 seconds.
- Check cloud VMS for indexing: Google dork:
site:[your-provider.com] "[your company name]"– if results appear, correct visibility settings immediately. - Audit the visitor log daily: Who was there, when, for how long? Are there repeat visits, anomalies, time overruns? Five minutes a day is enough for this check.
Structural measures (30–90 days)
- Escort requirement with accountability: Every visitor has a named responsible escort – and that person confirms at exit that the visitor has left the building. Documented.
- Explicitly define zone access: The visitor management system should restrict visitors to specific zones – not only in the system, but physically through zone signage and access checks at sensitive areas.
- Train reception staff: Not as interrogation training – but as awareness. What pretexts exist? How do I recognise a suspicious situation? How do I escalate discreetly? A half-day training session delivers significant improvement.
- Enforce badge time limits technically: Modern VMS systems can issue badges with expiry times. After two hours, the badge no longer opens doors. Sounds simple – rarely implemented.
- Physical pentest with visitor scenario: Have a red team test your visitor process – with a real pretext, a real pre-registration and a real attempt. The result is the most direct evidence of the current state of affairs.
NIS2 & CER: What is required regulatorily
Organisations subject to NIS2 or the KRITIS umbrella law must demonstrably implement physical security measures – including access control for third parties. A visitor process without ID verification, without escort documentation and without log analysis does not meet these requirements. The CER Directive also explicitly requires operators of critical infrastructure to systematically address risks from unauthorised persons – visitors included.
A secure visitor process is not a declaration of hostility toward guests. It is a professional signal: we take security seriously – for our employees, our data and our partners. This can also be communicated as a quality marker.
Conclusion: The most dangerous badge is the one you printed yourself
Biometrics at the main entrance. RFID reader at the server room. Mantrap on the ground floor. All of that loses its value when an attacker walks through reception with a self-printed badge – because the process allows it.
Visitor management is not a peripheral topic in physical security. It is one of the most frequently used entry vectors in red team engagements – because it works. Not because of technical vulnerabilities, but because of human processes that prioritise convenience over control.
The solution is not distrust. It is structure. A verified appointment, a photo badge, a named escort requirement and a daily-audited log – these are not high-security measures. They are lived process management.
Further reading: how attackers prepare digitally before a visit is covered in the post on Remote Recon to Physical Breach. What happens after entering the building – particularly at emergency exits and REX sensors – is examined in the post on REX Sensor Blind Spots. And how orphaned accounts of former employees become a permanent risk is explained in the post on Orphaned Accounts.
How secure is your reception really?
We test your visitor process as part of a physical pentest – with a real pretext, a real pre-registration and a documented result. Free initial call, no commitment.
Request a Physical Assessment →