Every week, Sprocket CEO and Founder Casey Cammilleri interviews an expert leading the charge on empowering security experts and practitioners with the knowledge and insights needed to excel in the future of cybersecurity.
He recently spoke with Brent White, Sr. Principal Security Consultant & Covert Entry Specialist at Dark Wolf Solutions. Here are the top takeaways from the interview.
#1: Attackers Target Corporate Offices During Peak Distraction Hours
“Typical corporate offices are the easiest hands down. Cultures are typically the same. People's attitudes are typically the same. They're at work, a lot of them might not want to be there or they're just ready to get home. They're thinking about, ‘I need to go pick up my kid from school,’ or ‘I've got this meeting.’
“And so they're very distracted and anything that slows that down is an inconvenience to them and they will avoid it altogether. So in saying that, if I am acting like I can't badge in and I'm in front of them, they're just gonna badge in and let me in too.
“Because it's the natural instinct to be nice and to help and they have stuff to do, like get out of their way, so when that kind of environment, I'd say maybe a day or two, it's pretty fast because it's kind of a rinse and repeat situation, unfortunately.”
Actionable Takeaway: Corporate employees naturally prioritize personal tasks over security vigilance. When people are mentally focused on their to-do lists, they'll badge you in rather than create friction that delays their day. Their natural helpfulness also becomes a vulnerability — they want to assist and move on quickly, making corporate environments surprisingly easy to penetrate.
#2: Consider Hybrid Covert-to-Educational Security Assessments
“Something that we offer that not a lot of people do is we'll do a hybrid. So we'll do the cover part first. We'll do our thing. We'll escalate until someone catches us because we want to give them a win. We don't want to just go beat them up and tell them their baby's ugly, all of that stuff. So we'll give them a chance. Sometimes it happens faster than other times. There have been times where I've literally done jumping jacks in front of a security camera at 3am or turned over a shredder bin and shaking it out on the floor in front of a camera trying to get a response. So we will start covert. We'll escalate. We'll make sure we're hitting all of our goals.
“When we're done, we have a meeting with the client. Here's what we did. And then we will do a walkthrough where we can say, here's how we'll actually teach them how to exploit these things so that if they want to get it fixed, they can try it on their own. Because, I mean, why not? And that does, if there's a building that's a bit more tough or some areas we avoided because we didn't want to get caught in that area, then we will walk through with the client at the end so that we can basically play around with really no consequence. A few times we've had clients request that it's overt or a guided walkthrough, as we call it, with no covert, just because they didn't want to ruffle feathers. There's a lot of politics involved, but we do offer both.”
Actionable Takeaway: When testing for vulnerabilities, start with stealth infiltration, then escalate visibility until security responds. Once caught, transition to educational walkthroughs where you teach clients how to exploit the vulnerabilities you discovered. This approach gives defenders a "win" while ensuring they understand how to fix problems, turning assessments into capability-building exercises.
#3: Build Technical Generalist Skills Beyond Physical Entry
“A lot of times, if you have military or law enforcement experience, that opens the door quite a bit. If that's not an option, work for a pentest company or a security company that offers covert entry. Or we've even given advice to people that they work at places that don't have that. So we're like, ‘Well, just start it. Offer that, talk to your manager or whatever, your team.’ And so they went from a place that didn't have that at all to now they're leading, providing that service offering. So there's that.
“Something else that I hear a lot too, are people like, ‘I'm really good at lying,’ and as I mentioned earlier, ‘I'm really good at just walking into a place. Can you hire me?’ Well, that's a good question. So once you're in, what are you going to do on their network? How are you going to compromise their network? ‘Well, I don't know.’ So it really helps to have network pin experience even more on the, what we would call, red team side, where you're exploiting, innovating, detection systems.
“That is, if you can do that and you can do the physical bypass, you have the personality where you can stay calm and you can blow smoke with someone. And just go off the cuff. Some people just can't do it. They get nervous, they don't know what to say. And that's the thing. People think, well, I can just walk into this building and now I can do covert entry. What are you going to do once you're inside the building? Once you talk to people, there's a lot of stuff that goes into it. So if you can, become a generalist.”
Actionable Takeaway: Physical access means nothing without network penetration abilities. Many aspiring covert entry specialists think smooth talking guarantees success, but they can't answer what happens after infiltration. Real expertise requires red team skills, composure under pressure, and the ability to improvise during social interactions. Develop capabilities across the complete attack chain, not just door bypasses.
