In this episode, Matt interviews Tom and Derek from our pen test team to break down why attackers often don’t need to hack their way in at all.

While most organizations invest heavily in tools like EDR and SIEM, Tom and Derek share how they regularly get inside buildings using nothing more than confidence, a good story, and sometimes even a box of donuts. From posing as copier technicians to tailgating behind employees, their experiences show that people are often the easiest way into an organization.

And once they’re in, things escalate fast. Physical access can quickly turn into network access, whether it’s plugging in a device, jumping on an unlocked workstation, or moving through the environment with far fewer restrictions than an external attacker would face.

The big takeaway is simple. Real-world testing exposes what audits miss. Doors get propped open, employees try to be helpful, and small gaps add up in ways most organizations never see on paper.

If you’re not testing your people and your physical controls, you’re only testing part of your security.

Key takeaways:

1. Attackers target people first, not systems - Social engineering consistently bypasses even mature technical controls.

2. Physical access equals full compromise - Once inside your facility, most security controls can be circumvented quickly.

3. Un-tested controls are assumed to fail - If you’re not running social engineering or physical assessments, you don’t know your real risk.

4. Culture is a security control - Employees must feel empowered to challenge, verify, and report suspicious behavior.

5. Real-world testing reveals what audits miss - Offensive social engineering exposes how attacks succeed, not just theoretical vulnerabilities.