Checklists

These checklists are meant as practical starting points. They are not meant to replace planning or operator judgment, but they are useful for making sure obvious details are not missed.

Reconnaissance Checklist

Reconnaissance is split into remote work and physical observation.

Remote Reconnaissance

Confirm written authorization, scope, contacts, and approved techniques.
Identify the target location, site boundaries, and public approaches.
Review company websites, social media, press releases, and public photos.
Check job posts, public records, and filings for site and role details.
Identify public-facing roles, reception functions, vendors, and contractors.
Note naming conventions, email formats, phone numbers, and contact paths.
Review map services, street view, parking, loading areas, and neighboring buildings.
Document visible signage, visitor instructions, and public-facing policies.
Review Shodan, exposed IP ranges, and internet-facing systems when in scope.
Record sources, timestamps, screenshots, and evidence references for reporting.

Physical Reconnaissance

Confirm observation windows, physical boundaries, and evidence rules.
Observe entrances, exits, gates, windows, fences, loading docks, and smoking areas.
Note reception layout, visitor flow, and guard or desk coverage.
Record badge readers and where they are installed.
Record intercoms, call points, and visitor entry stations.
Record PIN pads, keypads, and other visible secondary controls.
Record cameras, mounts, warning signs, and apparent coverage areas.
Record turnstiles, alarms, visitor kiosks, and other visible control points.
Identify access-control brand, reader type, and visible multi-factor use.
Watch door behavior, including latch timing, hold-open time, and relock behavior.
Note challenge behavior, visitor handling, and anti-tailgating measures.
Observe routines for opening, lunch, shift change, cleaning, deliveries, and closing.
Capture visual identity markers such as clothing style, lanyards, badges, and contractor branding.
Photograph and document findings with timestamps, locations, and evidence references.

Operational Checklist

This covers the three phases that make up the main operational part of the engagement.

Initial Access

Confirm the primary approach, fallback approach, and stop conditions before moving.
Check appearance, props, cover story, and communications setup.
Confirm who is observing, who is engaging, and how evidence will be captured.
Watch reception, guard behavior, and tailgating opportunities before committing.
Record the exact point where outsider status becomes insider access.
Document which control, routine, or human decision failed to stop entry.

Expand Access

Map what became reachable immediately after the first foothold.
Check whether higher-value rooms, badge levels, cabinets, or systems can be reached.
Identify whether local presence enables network access, wireless reachability, or access-control abuse when approved in scope.
Decide whether proof has already met the client objective or whether deeper validation is still needed.
Document the sequence of control failures that allowed access to expand.

Persistent Access

Assess whether re-entry is possible without rebuilding the operation from scratch.
Check whether badges, cards, copied credentials, or environmental weaknesses support repeatable access.
Evaluate whether access can be retained quietly and how durable that access would be.
Document whether persistence is opportunistic, temporary, or repeatable.
Stop once persistence is understood well enough to report without creating unnecessary risk.