#4040: The Clipboard That Opens Any Door

Professional liars with rulebooks: inside the world of authorized break-ins, badge cloning, and jail time as a line item.

Featuring
Listen
0:00
0:00
Episode Details
Episode ID
MWP-4219
Published
Duration
20:47
Audio
Direct link
Pipeline
V5
TTS Engine
chatterbox-regular
Script Writing Agent
deepseek-v4-pro

AI-Generated Content: This podcast is created using AI personas. Please verify any important information independently.

Physical penetration testing is a structured, authorized attempt to bypass physical security — locks, guards, badge readers, tailgating policies — using social engineering, lockpicking, and cloned access cards. The key distinction from actual crime is a signed contract and a scope document that says "please try to break into our building." Testers operate on a strange tightrope: paid to deceive and manipulate, but legally precarious if they step even slightly outside agreed boundaries.

The talent pool is surprisingly small — a few hundred people globally — and dominated by former military and intelligence personnel, not ex-cons as often imagined. A 2024 industry survey found most testers came from Mossad, SAS, or similar government service, then set up corporate security consultancies. The work ranges from bank vaults to airport checkpoints, where TSA's Red Team has achieved alarmingly high success rates smuggling mock weapons through security — though critics argue some test designs are engineered for dramatic headlines rather than realistic assessment.

The most revealing detail? Many testers budget for a night in jail as standard operating procedure. When a guard calls the police instead of following protocol, the tester's authorization letter means nothing to a patrol officer. Safe words exist — absurd code phrases meant to trigger a call to the client's security director — but they only work if the guard knows and follows the protocol. The system's effectiveness has a shelf life: testers must retire successful pretexts after being recognized at multiple sites, and security vigilance spikes after tests then slowly decays. The central question remains: is this making us safer, or just refining the theater?

Downloads

Episode Audio

Download the full episode as an MP3 file

Download MP3
Transcript (TXT)

Plain text transcript file

Transcript (PDF)

Formatted PDF with styling

#4040: The Clipboard That Opens Any Door

Corn
Daniel sent us this prompt that picks up a thread we barely touched before — the world of physical penetration testers. People who get paid to lie their way past security guards, clone access badges, and talk themselves into server rooms. And here's the thing that grabbed me: getting arrested isn't a bug in this line of work. It's a line item in the project budget.
Herman
It really is. I was reading through a twenty twenty-four industry survey, and one tester described it as, quote, "I always budget for a night in jail." Said it the way you'd budget for parking.
Corn
Which is either the most committed professional mindset I've ever heard, or a sign that the entire field has a deeply weird relationship with risk.
Herman
But here's why this matters right now — the TSA has its own covert testing program, the Red Team, and the numbers coming out of it are genuinely alarming. A twenty twenty-three DHS Inspector General report found that at some airports, Red Team operators successfully smuggled mock weapons and explosives through checkpoints in ninety five percent of tests.
Corn
Ninety five percent.
Herman
And that's not a one-off. Similar results showed up again in twenty twenty-four testing.
Corn
We're spending billions of dollars on airport security, and the people whose job it is to test that security can stroll through with fake explosives almost every single time. That's either a catastrophic failure or a sign that the tests themselves are designed to produce dramatic headlines — and neither option is comforting.
Herman
That's exactly the tension Daniel's prompt gets at. He said he'd never really come across this world before, but once you hear about it, it makes abundant sense. Of course someone's testing the human side of security. And he asked a bunch of questions I think are worth unpacking — who are these people, who hires them, what happens when the test goes wrong, and is this whole thing actually making us safer or is it just security theater with handcuffs?
Corn
Let's follow that thread. Because the more you look at this world, the stranger it gets.
Herman
Let's define what we're actually talking about, because "physical penetration testing" sounds like something you'd need a medical degree to discuss.
Corn
You have one, so tread carefully.
Herman
But no — physical pen testing is a structured, authorized attempt to bypass physical security. Locks, guards, badge readers, tailgating policies. The tester uses social engineering, lockpicking, cloned access cards, whatever works within the agreed scope. And the key word there is "authorized." Someone inside the organization signed a contract and said, "Please try to break into our building.
Corn
Which is what separates it from just breaking in. The contract, the scope document, and what amounts to a get-out-of-jail card.
Herman
And it's worth distinguishing this from red teaming, which is the broader term. A red team engagement might combine cyber and physical attacks — hack the network while someone else talks their way past the front desk. Physical pen testing is the boots-on-the-ground piece of that. It's also completely different from criminal social engineering, where there's no authorization and the intent is malicious. The difference is a piece of paper signed by someone with authority to sign it.
Corn
The tester is hired to be adversarial — to think like a criminal, act like a criminal, exploit the same weaknesses a criminal would — but they have to stay inside a legal and ethical box the whole time. That's a strange tightrope.
Herman
It's the defining tension of the field. You're being paid to deceive people, to manipulate trust, to exploit human psychology — but if you go too far, you're not a tester anymore, you're just a criminal with a weird defense strategy.
Corn
"Your honor, I was only pretending to clone that executive's keycard.
Herman
And that tightrope shapes everything about who does this work and how they do it. The scope document is incredibly specific — "you may attempt to access the server room on the seventh floor between nine AM and five PM, no physical damage, no threatening behavior, no impersonating law enforcement." Step outside those lines and the authorization evaporates.
Corn
You're a professional liar with a rulebook. Which, now that I say it out loud, sounds like several professions I can think of.
Herman
I'm not touching that one. But the point stands — this isn't chaos. It's structured, contracted, and legally precarious. And that precariousness is where all the interesting stories come from.
Corn
Daniel's prompt asked the obvious question — who actually does this for a living? And his instinct was that it's a perfect job for ex-cons. Reformed criminals, skills repurposed. Which makes a certain kind of sense.
Herman
It does, and you do see a few examples. Kevin Mitnick is the famous one — after prison, he became a security consultant. But he's the exception that proves the rule. The reality is that a criminal record is a massive liability in this field.
Corn
Because of security clearances.
Herman
Clearances, liability insurance, client trust. Most firms won't touch you if you've got a conviction. The industry survey I mentioned earlier found the actual talent pool is dominated by former military and intelligence — ex-Mossad, ex-SAS, people who left government service and set up corporate security consultancies. Then you've got career security professionals who trained in lockpicking and social engineering through legitimate channels, conferences, certifications. And a handful of reformed hackers. But the ex-con pipeline Daniel imagined? It's mostly a Hollywood thing.
Corn
The person sweet-talking their way into a bank vault is more likely to have spent ten years in special forces than ten years in prison. Which, when you think about it, means the state trained them to do this and then they took those skills private.
Herman
That's exactly the career arc. And the community is tiny. We're talking maybe a few hundred people globally who do this as their primary job. It's not a field you fall into by accident.
Corn
Who's hiring those few hundred people?
Herman
Everyone with something to protect. Big banks, tech companies, data centers. Government agencies — the TSA, DHS, Department of Defense. Critical infrastructure operators, power plants, airports. Anyone whose security failure would make headlines.
Corn
The TSA's Red Team is the most public example.
Herman
The most controversial. Here's how it works: covert testers attempt to smuggle mock weapons or explosives through airport checkpoints. In twenty twenty-three, one test involved a tester posing as part of a family with a crying child. The guard was so distracted by the screaming kid that the mock explosive went right through.
Corn
That's the clipboard effect with a soundtrack.
Herman
It's textbook. But here's the kicker — that test was later criticized because the mock explosive was a prop that wouldn't have triggered the scanner anyway. So the ninety five percent failure rate everyone cites? Some of it reflects genuine human vulnerability, and some of it reflects test design that's engineered to produce dramatic results.
Corn
Which brings us to the mechanics of a typical engagement. What does this actually look like on the ground?
Herman
It starts with a scope document. The client says something like: "Access the server room on floor seven between nine AM and five PM, no physical damage, no impersonating law enforcement." The tester then builds a pretext — a false identity and backstory. Delivery driver is a classic. IT support, cleaning staff, fire alarm inspector.
Corn
The fire alarm inspector one is real?
Herman
Twenty twenty-four case from a UK firm. Tester walked into a bank's vault area wearing a high-vis vest and carrying a clipboard. Guard didn't check a single credential. The clipboard is basically a skeleton key.
Corn
It's the most powerful security bypass tool ever invented. Forget the Proxmark3 — carry a clipboard and look annoyed.
Herman
I mean, the Proxmark3 is real too — it's an RFID cloner that can copy access badges from a few feet away. But the hardware is secondary. The primary vector is always the social engineering. People want to be helpful. People defer to authority. People don't want to be the one who delayed the fire inspector while the building burned down.
Corn
The tester exploits the gap between security policy and human nature. The policy says "verify all credentials." Human nature says "this person in a high-vis vest clearly belongs here and I don't want to be rude.
Herman
That gap is everywhere. It's not a technology problem. It's a human one.
Herman
What happens when the gap swallows someone? Because it does. More often than the glossy case studies let on.
Corn
You're talking about the arrest problem.
Herman
The scenario where the guard doesn't just fail to verify credentials — the guard calls the police. And suddenly you're not a penetration tester anymore. You're a guy in handcuffs trying to explain that breaking into a server room is, technically, your job.
Corn
Which has to be one of the least convincing things you can say to a patrol officer at two in the afternoon.
Herman
There's a twenty twenty-two incident out of Chicago that's become kind of a cautionary tale in the industry. Tester for a major firm gets caught in a restricted area. The guard calls nine one one. City police show up, and the tester's "get-out-of-jail letter" — signed by the client's CEO — means nothing to them. They've never seen one before. It looks like a forgery. So the tester spends six hours in a holding cell before the client's security director physically drives to the precinct to sort it out.
Corn
That's not a close call. That's an afternoon in jail.
Herman
The tester's response afterward, in an industry interview, was basically — that's the job. I budget for it. Which sounds like bravado, but I think it's actually just realism. When you spend your career pretending to be someone you're not, in places you're not supposed to be, eventually the system treats you exactly the way it's designed to treat intruders.
Corn
That's the tension. The system is working — the guard did the right thing — and the tester is the one who ends up in a cell for doing their job correctly.
Herman
Most firms have a safe word system to prevent exactly this. A code phrase the tester can say to a guard that triggers a call to the client's security director. Something like "the eagle flies at midnight.
Corn
That's not a safe word. That's a Cold War dead drop.
Herman
It's absurd, but it exists because the alternative is worse. The problem is, the safe word only works if the guard knows it, recognizes it, and follows the protocol. If the guard panics and calls the police first, the safe word is just a weird thing you said while being arrested.
Corn
Which connects to the small-pool problem. Daniel asked whether testers ever get recognized, and the answer seems to be yes — because there just aren't that many of them.
Herman
A few hundred people globally, doing this full-time. And they reuse personas. One tester told an industry publication in twenty twenty-four that they had to retire their UPS delivery driver pretext after being spotted at three different client sites in the same month. Guards rotate between facilities. They talk to each other. Someone says, "That same delivery guy was at my last building, and something felt off.
Corn
The tester's effectiveness has a shelf life. Every successful engagement burns a little bit of their cover for the next one.
Herman
It forces a weird question about whether this testing actually improves security long-term. The TSA's own data shows a pattern: after a Red Team test, checkpoint failure rates drop. Guards are more vigilant. Then, within months, the rates creep back up to where they were. It's a testing fatigue effect — people can't sustain that level of suspicion indefinitely.
Corn
You're spending money on tests that produce temporary improvements and occasionally get your testers arrested. At what point does this stop being security and start being theater?
Herman
That's the debate. Proponents say it's the only way to find real gaps — you can't audit human behavior with a checklist. Critics say it creates a culture of paranoia where guards assume every suspicious person is a tester, not a real threat, and that desensitization is worse than no testing at all.
Corn
Then there's the ethical boundary problem. The scope document says "no threatening behavior," but what counts as threatening? If a tester poses as a corporate spy and leans hard on a receptionist — raises their voice, implies consequences — is that testing the security or just traumatizing an employee?
Herman
It's happened. Firms have been sued. There was a case where a tester's aggressive social engineering left a receptionist in tears, and the client argued the tester had exceeded the scope. The firm's defense was that real criminals wouldn't be polite. Which is true, but it's also not a great argument when your employee is filing a complaint.
Corn
The tightrope we talked about earlier — authorized versus criminal — it's not just a legal line. It's an ethical one, and it moves depending on who's writing the scope document and how far the tester is willing to push.
Herman
The private sector handles this very differently from the TSA. A corporate client has a security director on speed dial, a safe word system, a pre-arranged escalation plan. The TSA's Red Team operates in a more adversarial framework — the testers are government employees testing another government agency. There's less room for a friendly phone call when things go wrong.
Corn
Which means the TSA's testers are playing a higher-stakes version of the same game. If a corporate tester gets arrested, the CEO's letter might eventually work. If a TSA Red Team operator gets jammed up, they're dealing with federal law enforcement and a bureaucracy that doesn't move fast.
Herman
That's the thing Daniel's question really gets at. Is this making us safer, or is it just an elaborate performance of safety? The answer seems to be: it depends on whether anyone acts on the results. The TSA's ninety five percent failure rate has been public for years. If the numbers haven't moved, what exactly are the tests accomplishing?
Herman
If you're an organization thinking about hiring one of these people — and I hope you're taking notes, because the mistakes are expensive — the first thing you need is an escalation plan that actually works. Not a safe word that sounds like spy fiction. A twenty-four seven contact who can physically show up at a police station. A pre-arranged signal that every guard knows. And a relationship with local law enforcement so the first time a patrol officer sees your get-out-of-jail letter isn't at two AM with your tester in handcuffs.
Corn
Rotate the testers. If your entire security audit depends on the same three people cycling through the same three personas, you're not testing your security. You're testing whether your guards have seen that specific UPS driver before.
Herman
The small-pool problem is real, and it's not hard to solve — you just have to acknowledge it exists. Which, from what I can tell, a lot of clients don't.
Corn
What about the individual side of this? Daniel's prompt was partly about the strange career path, but the underlying question applies to anyone. If these testers can walk through locked doors with nothing but a clipboard and a confident nod, what do you actually do about that in your own life?
Herman
The answer is uncomfortable because it's not about buying better locks. The most common vulnerabilities aren't technical. They're cognitive. Authority bias — someone in a uniform or a high-vis vest tells you they're supposed to be there, and your brain fills in the rest. Distraction — the crying child, the spilled coffee, the urgent phone call. These are the actual attack vectors.
Corn
The clipboard effect isn't a lockpicking trick. It's a human one. And the defense is embarrassingly simple: verify credentials. Actually look at the ID. Call the number on the work order instead of the number the person standing in front of you hands you.
Herman
It sounds obvious, but the reason these tests keep working is that most people won't do it. They don't want to be difficult. They don't want to be the person who slowed down the fire inspector. The social pressure to comply is stronger than the security policy telling you to verify.
Corn
Which is the bigger picture here. The TSA spends billions on scanners and body imagers, and the Red Team walks through with props that exploit a guard distracted by a screaming child. The technology is not the weakest link. The humans are. And the humans will keep being the weakest link until the training and the culture change.
Herman
A culture of skepticism, not paranoia. There's a difference. Paranoia is assuming everyone is a threat. Skepticism is verifying that the person who says they're supposed to be here actually is. One burns people out. The other is a skill you can train.
Corn
Physical pen testing is basically a mirror. It shows organizations what they actually protect versus what they think they protect. And what it usually shows is a lot of expensive hardware guarding against threats that don't require hardware to exploit.
Corn
Here's the question I keep coming back to. Voice cloning is getting cheap. AI-generated personas are getting convincing. Does that make the tester's job easier — because they can build deeper backstories — or harder, because defenders are going to start using the same tools to spot anomalies?
Herman
I think both, and that's what makes it interesting. Imagine a tester who can clone a client executive's voice and call the front desk to authorize a "surprise inspection." That's a terrifyingly effective pretext. But the same AI could flag that the caller's speech patterns don't match the executive's baseline. We're heading toward an arms race where both sides are automating deception and detection simultaneously.
Corn
Which makes the legal framework even more important, and right now it's patchy at best. Some white hat testers have been sued for exceeding scope — doing things the contract technically allowed but the client never imagined. Meanwhile, actual criminals are using the exact same techniques, and the only thing separating them from the professionals is a signed piece of paper.
Herman
The field needs clearer rules. What counts as reasonable pretext? Where's the line between testing human vulnerability and exploiting it? Right now those answers depend on which lawyer you ask, and that's not sustainable as the tools get more powerful.
Corn
The future of physical pen testing is going to be shaped less by lockpicks and clipboards and more by whoever figures out the legal and ethical boundaries first. Which is not where I thought this conversation would end up, but it feels right.
Herman
Now: Hilbert's daily fun fact.

Hilbert: The word "thermometer" entered English in the seventeen twenties, but the instrument itself traces back to a Faroese physician named Niels Ryberg Finsen, who — wait, no, that's wrong. The Faroe Islands had nothing to do with thermometers. I'm thinking of a different instrument entirely. The actual etymology: "thermometer" comes from the French "thermomètre," coined around sixteen twenty-four by a Jesuit mathematician who was trying to measure the temperature of a feverish patient and got the scale completely backwards.
Corn
...right.
Corn
Where does this leave us? Probably with the uncomfortable realization that the most expensive security system in the world is only as good as the person at the front desk who's too polite to ask for ID. If you want to hear more about the weird world of security testing, rate and review the show — and send us your weirdest prompts.
Herman
This has been My Weird Prompts. Thanks to our producer Hilbert Flumingtop. Find us at my weird prompts dot com.
Corn
I'm Corn.
Herman
I'm Herman Poppleberry. Go verify someone's credentials today.

This episode was generated with AI assistance. Hosts Herman and Corn are AI personalities.