Checklists

These checklists are meant as practical starting points. They are not meant to replace planning or operator judgment, but they are useful for making sure obvious details are not missed.

Reconnaissance Checklist

Reconnaissance is split into remote work and physical observation.

Remote Reconnaissance

Identify the target location, surrounding area, and likely external approaches.
Map company websites, social media, job posts, public records, and public photos.
Identify key employees, public-facing roles, vendors, and contractors.
Look for naming conventions, email formats, and likely pretext material.
Check map services, street view, parking, loading areas, and neighboring buildings.
Review Shodan, exposed IP ranges, access-control exposure, and other internet-facing infrastructure when it is relevant and in scope.
Document anything that could support timing, disguise, pretexting, or remote engagement.

Physical Reconnaissance

Observe entrances, exits, gates, windows, fences, loading docks, and smoking areas.
Note badge readers, intercoms, PIN pads, camera placement, and guard coverage.
Identify access-control brand, reader technology, and whether additional factors such as PIN are used.
Watch how doors behave in practice, including latch timing, hold-open time, and challenge behavior.
Observe staff routines for opening, lunch, shift change, closing, cleaning, and deliveries.
Capture visual identity markers such as clothing style, lanyards, ID cards, and contractor branding.
Photograph and document everything that helps planning, access, and reporting later.

Operational Checklist

This covers the three phases that make up the main operational part of the engagement.

Initial Access

Confirm the primary approach, fallback approach, and stop conditions before moving.
Check appearance, props, cover story, and communications setup.
Confirm who is observing, who is engaging, and how evidence will be captured.
Watch reception, guard behavior, and tailgating opportunities before committing.
Record the exact point where outsider status becomes insider access.
Document which control, routine, or human decision failed to stop entry.

Expand Access

Map what became reachable immediately after the first foothold.
Check whether higher-value rooms, badge levels, cabinets, or systems can be reached.
Identify whether local presence enables network access, wireless reachability, or access-control abuse when approved in scope.
Decide whether proof has already met the client objective or whether deeper validation is still needed.
Document the sequence of control failures that allowed access to expand.

Persistent Access

Assess whether re-entry is possible without rebuilding the operation from scratch.
Check whether badges, cards, copied credentials, or environmental weaknesses support repeatable access.
Evaluate whether access can be retained quietly and how durable that access would be.
Document whether persistence is opportunistic, temporary, or repeatable.
Stop once persistence is understood well enough to report without creating unnecessary risk.