Tailgating: The Physical Attack That Bypasses Every Badge System
The Coffee Tray Works Almost Every Time
Walk up to a corporate side door behind an employee, a coffee tray in one hand, a messenger bag slung over your shoulder, and a lanyard that looks enough like theirs from a distance. Say "thanks, got it" as they hold the door open. You are in. No badge scanned, no log entry, no alert. You just defeated a hundred thousand dollar access control system with a five-dollar prop.
This is tailgating, and it is the single most common technique used in physical penetration tests. Not because it is clever. Because it works.
Why Your Badge System Is Not the Problem
The badge system is doing exactly what it was designed to do — authenticate and log. The problem is not the reader at the door. The problem is that the door has to open for authenticated users, and once it is open, it does not care who walks through.
There are three variants of tailgating we see repeatedly during assessments.
Pure tailgating. The attacker walks in directly behind an employee who has badged in, before the door closes. No interaction required. The employee often never even looks back.
Piggybacking. The attacker asks the employee to hold the door, usually while appearing to be carrying something. Coffee trays, stacks of binders, and laptops are the classic props. A conversational greeting ("hey, thanks — you guys been busy today?") disarms the social awkwardness.
Credential display. The attacker wears a lanyard with a badge that looks legitimate from six feet away. The real badge is usually from a previous job, a conference, or a print shop. At a glance, the employee registers "badge" and moves on.
The Employees You Think Are Your Strongest Are Often Your Weakest
There is a pattern we see in almost every engagement. Entry-level employees tend to be suspicious of strangers and will challenge someone they do not recognize. Senior employees — directors, VPs, senior engineers — are significantly more likely to hold the door without a second look. They are busy. They do not want to seem rude. They assume anyone inside the badged perimeter belongs there. They are also the ones with access to the most sensitive areas once you are inside.
The training gap is the inverse of the trust gap. The people with the most access get the least security awareness repetition, and it shows.
What Actually Works to Stop It
Signs that say "do not tailgate" do not stop tailgating. They make employees feel vaguely guilty while they continue to hold the door. Effective countermeasures fall into three categories.
Physical. Mantrap entries, turnstiles, or badge-controlled revolving doors make tailgating physically difficult. These are expensive but bulletproof for sensitive facilities.
Behavioral. A culture where it is normal and expected to ask "sorry, who are you here to see?" is more effective than any technology. This requires training, repetition, and leadership visibly doing it themselves. When the CEO challenges strangers at the door, everyone else will too. When the CEO does not, nobody will.
Detection. Anti-tailgating sensors at high-value doors — IR or video-analytics based — can trigger alerts when two people pass on one badge swipe. These are not gatekeepers; they are tripwires. Pair them with a real response protocol.
How We Test This
A physical penetration test exercises tailgating as one of several entry techniques. We document which doors are bypassable, by what method, at what time of day, and against what categories of employees. The deliverable is not "we got in." It is a written analysis showing where the gaps are, who is most vulnerable, and what specific changes — hardware, policy, training — close each one.
Red Obsidian Security conducts physical penetration testing for businesses in Sioux Falls and the surrounding region. If you have never had one done, the results will be uncomfortable. That is the point — better uncomfortable now than compromised later. Call (605) 223-8100.