What a Physical Penetration Tester Taught Us About Identity Security
The biggest identity security vulnerabilities in your organization may not be technical — they may be human. That was the central lesson of the third installment of Radiant Logic’s Through the Eyes of the Adversary series, which featured Freaky Clown (FC), co-founder and head of ethical hacking at Cygenta, and author of How I Rob Banks and Other Such Places. One of the most experienced physical penetration testers in the field, FC has spent three decades breaking into banks, hospitals, and critical infrastructure on behalf of the organizations that hire him.
The insights he shared in this webinar bridge the physical and digital worlds in ways that carry direct implications for IAM leaders, CISOs, and anyone responsible for securing enterprise identity today. In this blog post, we cover the key lessons he taught us about breaking and defending both physical and digital identity.
What Physical Penetration Testing Reveals About Cybersecurity
Physical penetration testing (a.k.a. red teaming) is the practice of attempting to breach an organization’s physical security controls to identify vulnerabilities before a real adversary does. FC has a 100% success rate doing exactly this, and his clients rarely believe it’s possible until it happens.
What makes it possible isn’t technical sophistication. Rather, it’s reconnaissance, patience, and an understanding of how people think.
“The more secure a place looks, there are generally ten other ways in,” FC explained. Whether the entry point was a job application form with self-service access checkboxes that FC filled in himself and used to talk his way into a full-access badge, or an unsecured rooftop that gave him free access to all the air conditioning systems for the server rooms below, FC’s stories shared a common thread: Organizations build their defenses around the attacks they can imagine, not the ones they can’t.
The recon phase of each red-teaming operation, FC stressed, is where the real work happens. Weeks of observation, floor plan extraction from publicly posted fire evacuation maps, and behavioral pattern analysis of security guards precede any physical action. By the time FC walks through his client’s door, very little is left to chance.
The deepest lesson from these engagements isn’t about locks or badges — it’s about human behavior. When FC spent time at a colleague’s desk photographing it with a professional camera, a nearby colleague noticed but never said a word.
“That ambivalence — ‘I can see something odd is happening, but I don’t want to get involved’ — is the biggest security vulnerability of all. He could have stopped everything with a single question.” — FC
How Physical Identity and Digital Identity Are the Same Problem
As the conversation shifted toward the digital domain, a clear throughline emerged: The tactics FC uses to breach physical security map almost perfectly onto how adversaries exploit digital identity.
Stale physical access badges left uncanceled? That’s an unrevoked service account. A borrowed employee badge worn by someone who doesn’t belong? That’s a hijacked session token. Walking into a building and being trusted because you’re already inside? That’s lateral movement after initial access.
“Stale accounts in the digital world are exactly like stumbling upon an unused access badge,” FC said. “The mindset needed to defend against both is the same.” — FC
The conversation then turned to a dimension that’s rapidly expanding the identity attack surface: non-human identities and agentic AI. FC noted that when attackers gain digital access, the goal isn’t to impersonate individual users — it’s to become the target system itself, and take over not just human identity, but machine and agent identity.
“Thinking about computers as people is probably the best framework — and conversely, protecting computer systems and AI agents means treating and controlling them like people.” — FC
Addressing the Three Identity Problem — treating machine and agentic identities with the same rigor as human ones — has urgent implications. According to FC, as enterprises experiment with agentic AI, API keys and agent credentials are being created informally, granted excessive permissions, and forgotten. “Suddenly there are API keys everywhere, identities everywhere — it’s the same problem as hardcoded passwords,” he said.
How to Secure Digital Identity: Key Recommendations for IAM and Security Leaders
FC’s closing recommendations were direct and rooted in hard experience. For IAM leaders and CISOs responsible for securing digital identity, especially in hybrid enterprises, three priorities stood out.
Segment your networks to enforce least-privilege access. FC called network segmentation the single biggest defensive lever available — and one of the most consistently ignored. “You don’t need everyone to have access to everything all the time.” A flat network turns every compromised identity into a skeleton key, making Zero Trust network architecture not just best practice but a critical safeguard.
Treat access removal as a security-critical process. The most overlooked identity risk FC encounters isn’t weak passwords or phishing — it’s accumulated access that never gets cleaned up. “People who’ve been (at an organization) 20 years and moved through five or six departments still have access to everything they’ve ever touched, because no one wants to take away privileges.” The same applies to contractors, third-party vendors, and — increasingly — AI agents.
Proactively invest in red team and blue team collaboration. Security teams go blind to their own environments, which is why red teams and blue teams must function as two halves of the same whole. “You don’t hire a red teamer to run your defense, and you don’t hire a defense team to do your red teaming,” FC said.
Break and Defend Identity
FC’s session was a vivid reminder that attackers succeed because organizations defend against the threats they can imagine while leaving human assumptions and blind spots unexamined. Stale access, assumed trust, and unchecked lateral movement are the same problem wearing different clothes, whether the entry point is an unlocked rooftop or a forgotten API key.
The path forward requires both sides of the security equation: red teams finding what defenders can’t see, blue teams hardening what attackers would exploit, and IAM leaders treating identity — human, machine, and agent alike — as the perimeter.
For deeper insights from FC on his ethical hacking adventures and what he thinks needs to change regarding digital identity, watch Through the Eyes of the Adversary: Breaking and Defending Identity in Hybrid Enterprises on demand.
