"Tools do not make you effective. They amplify what you already are. If your tradecraft is sloppy, your tools just help you fail faster and louder."
People love to talk about tools like that is the job. The number of "What's in the bag?" talks in the industry keeps growing, but it is like flavors of ice cream. Like if you just buy the right kit, suddenly you are operating at a high level. That is not how this works. If your mindset is solid, your tools just make things easier, quieter, and more efficient. Tools should be quality and not some cut-your-hand style lock picks like we have seen on those creative business cards. Those are cool, but not something you would necessarily want to use during a professional assessment.
So let us be clear. This is not a complete list of every bypass device out there. It is a list of the tools that we personally go to time and time again to exploit the vulnerabilities we commonly face when conducting a covert entry or red team style assessment. Again, if this is an ice cream preference, we like rolling with Neapolitan. There are people who specialize purely in physical security only. However, we go way deeper than that. Many of our other services, such as network penetration, Wi-Fi assessments, and related work, are often within the scope of red team penetration testing, and this is where you will often find covert entry specialists. We get asked this a lot at conferences. You have to be able to compromise the logical side of things too, such as physical systems, networks, network drops, payloads, and electronic badge implants.
This is what actually gets used. The stuff that survives real engagements, where physical access, social engineering, surveillance, and technical tradecraft can all overlap at the same time. Before you start filling your cart with Covert Instruments tools, it is important to say that if you do not know how to use the gear, do not carry it. You are not helping. You are creating risk for yourself, your team, and your client. Practice with it first. You should never be figuring out how to use something while in a production environment, client building, or live assessment.
Have authorization. Stay in scope. Do not test in production. Do not be reckless.
Reality Check... It's Rarely Clean
Everyone imagines red team work like a controlled operation. Clean recon. Clear objectives. A plan that unfolds exactly the way it is supposed to. Sure, sometimes you get that, but the truth is that a lot of times you do not. These assessments are not always static. They are dynamic and require dynamic thinking.
So you show up and you observe. If you have the luxury, get there early. Sit somewhere you are not noticed and just watch how the environment breathes during and after business hours.
What is the dress culture? Are smoke breaks still a thing? How are people wearing badges, and what does that tailgating or piggyback policy really look like in the everyday grind of routine? You are not just identifying vulnerabilities. You are also learning what normal looks like so you can step into that pattern of life without friction.
Here is the part people ignore until it burns them. The more you carry, the more you stand out.
We have watched people walk into target environments looking like a walking gear catalog and straight out of a summer of hacker conferences. DEF CON shirts, black hoodies, big tactical bags, cables hanging out, antennas poking out the sides, patches and pins everywhere. You might as well announce yourself. Unless you are really trying to test incident response, leave the well-decorated conference bag at home. Otherwise, your onsite assessment bag should be the most boring thing ever if your goal is to blend in and be forgettable.
You Are the First Tool
Before any gear, there is you. Your posture. Your pace. Your confidence. Your ability to exist in a space without drawing attention. If you look out of place, you are going to get burned quickly.
The Grey Man theory is legit, and it is important to carry a neutral bag. Nothing flashy. No stickers, no patches, no hacker identity. You are not there to represent a brand. You are there to blend in as much as possible. To be so boring that no one remembers you at all.
Dress for the environment, not your personality.
Construction site? You better look like you have been there all week.
Corporate office? You should look like IT, facilities, or somebody nobody questions.
A simple sling bag or worn laptop case will get you further than anything that looks tactical.
For example, we worked an engagement where access did not start at the door. It started in the parking lot at a food truck. Employees rotating through the line at lunch time, along with construction work happening next door, created the perfect storm for us. Tim stood in line wearing a high-vis vest and a hard hat, armed with our Covert Clipboard badge cloner. Because we were so close to so many badges, Tim staged a scene by spilling his drink. Nothing dramatic, but just enough to create a moment where we could exploit the good nature in people who just wanted to help. While helping Tim clean up the mess, the well-hidden proximity badge cloner went to work.
The tool mattered. The setup and improv mattered more.
What Actually Ends Up in the Bag
There is always this temptation to overpack. However, when you are actually walking into the target environment, that is how you slow yourself down and make mistakes. It is okay to bring the whole kit for the "just in case." Truthfully, when traveling, sometimes we will bring a couple of Pelican cases full of gear, especially if there are a lot of unknowns. It is better to have it and not need it, but we leave it secured elsewhere. We do not carry it all through the door during the assessment. Through reconnaissance and experience, we assess what we might need and leave the rest.
A solid toolkit, or load out, is not about quantity. It is about coverage and what you know you will likely encounter. Again, that comes from experience, and here we are filling in the gap for you by sharing our homework.
Bypass and Entry
This is your quiet access capability.
Canned Air
Canned air is the MVP of a lot of our toolkits against several poorly placed and misconfigured Request-to-Exit sensors. We will also keep a couple of hand warmers in our bags in case temperature fluctuation is part of the REX.
We are not just saying this because of the brand. We use this tool because it saves so much space and time. It covers a lot of the just in case situations, as well as the common bypass techniques, in a small and easily concealable fold-away tool.
Access control key sets, default cabinet keys, and similar keys still come up more often than people want to admit.
Under-the-Door and Over-the-Door tools are classics. Covert Instruments improved that concept with the Reach Around. Over-the-Door tools come in a lot of styles, but we still use film and friction spray.
We often run into tubular locks on shredder bins and other items. This tool makes quick work of those locks.
Foldable Loid Entry
This helps get around strike plates where latch slipping may be possible.
Crash Bar Tool
For big gaps and crash bars, this earns its place. It fits neatly into a bag.
We often obtain access to physical keys through various means, so this helps us quickly create a working clone.
We encounter thumb locks at the bottom and top of a lot of cloudy glass suite doors. Deadbolts galore.
This helps with a lot of gaps and with displacing security plungers.
It fits in your pocket like a pen and is a bit more discrete than a hammer.
Brent's favorite. This helps open doors with improperly configured security plungers and can be cut to size to fit in things such as Brent's Covert Entry Wallet.
These tools do not kick doors open. They let you move through things that were never meant to stop someone who knows what they are doing.
We had a facility that was extremely proud of its badge access system. Controlled entry points, logging, cameras everywhere. On paper, it looked solid. In reality, the cleaning crew had an override they used on cleaning days, and that was the same default key to the access control panel. No alarms. No escalation. Just understanding how the system was actually used instead of how it was designed.
Badge Cloning and Skimming
RFID and NFC Badge Cloners
The Flipper is very popular for several reasons, but we often carry the iCopy-X because it is capable of more than low-frequency badge cloning. We also have some custom antennas that extend the range that we use.
Badge Skimmers
If we are unable to plant something like a BLE or ESP key into legitimate badge readers, we will often use a fake housing unit like the Doppleganger. This is especially great for PIN and badge authentication.
Blank Badges and Lanyards
Even if we have not cloned a badge yet, we still need to visually replicate one. We do not always know what color lanyards are in use until our onsite reconnaissance. So we travel with as many variations as possible. Once we have a clear enough picture to see the badge design, we will head back to the hotel, fire up a good image editor, and create our own badges as close to the original design as possible.
You are not trying to "hack" a badge. You are trying to capture badge data without interrupting behavior and prove where the badge system is not encrypted. That is the difference.
People do not expect to be scanned when they are holding a door, grabbing lunch, or talking to someone who looks like they belong. We have captured credentials standing shoulder to shoulder in a line. We have captured credentials during casual conversations. We have captured credentials during moments when the target was focused on something else entirely.
The smaller and more natural your setup, the more effective it becomes.
If it looks like a tool, it is already a problem.
Tech and Malicious Drops
Laptop and Hard-Drive to USB
Depending on the scope of the assessment, we may carry a laptop with dual-band antennas and network cables. We will also keep a converter to read printer hard drives as external USB drives.
USB Payloads
We will often have custom payloads. If you do not have the luxury of custom payloads and devices, the Hak5 Bash Bunny is typically pretty handy in these circumstances, along with bootable USB and SD media.
Hardware Keyloggers
Use keyloggers that sit between the keyboard and system, whether the setup is wireless or wired. Hardware keyloggers have less chance of tripping AV.
Network Implants
Drop boxes, rogue wireless access points, and similar implants are especially handy when the target leaves DHCP enabled on the unsegmented conference wireless network.
Surveillance Drops
If surveillance is part of the Rules of Engagement, we may also use something like a USB audio recorder or modified micro nanny cams in something like a smoke detector. Anything that allows us to plant the device in the area that is most beneficial for the assessment, while still staying within legal limitations.
This is where physical access turns into long-term impact. You do not always get time. Sometimes you have got five minutes, and sometimes it is less than that.
We had an engagement where physical access lasted under ten minutes total. In that time, a device was placed, configured, and left behind. That device lived there for days, collecting data and expanding our access to a command and control system that we had hardened and deployed. The operator left. The operation did not.
We would also be remiss if we did not say that the goal is not to play got ya with the client. The goal is to think like a real-world threat, and not all criminals are petty thieves. Some range from burglary to espionage. It is important that when conducting threat services like these, and when being questioned about tools, we remind clients that these techniques have been around for years and are only getting more honed and more recognized with age. Security awareness and security testing should be doing the same.
Recon and Visibility
Smartphone
With newer phones such as the Google Pixel, Samsung Galaxy, and iPhone, the zoom is a lot better than people think, and a lot cheaper than an expensive camera and lens. You should also invest in a compatible snake camera that plugs into your phone so you can see beneath or around the target barrier.
Low-Lumen Magnet Flashlight
There are some great rechargeable keychain magnet lights that Tim carries. We will also use red LED lights on headbands, wristbands, gloves, and similar gear when operating in low-light environments.
Multi-Band Radio
We can use these to snoop on unencrypted radio chatter throughout the reconnaissance phase and the assessment.
The Stuff That Quietly Saves You
This is the category nobody talks about until they need it.
Cables β A, B, micro, OTG, and whatever else you need. Storage media. Backup batteries. An earpiece for team coordination. A multi-tool. Mechanics gloves. Solid, quiet footwear.
You do not want to be halfway through an operation and realize you are missing something basic. That is not a gear failure. That is a plan failure.
Travel Without Shooting Yourself in the Foot
Flying with tools adds friction. Print TSA guidelines. Expect inconsistency. Some agents know exactly what they are looking at. Others do not. Have a fallback plan. Prepaid shipping is a lifesaver. And if you do not want the conversation, check the bag. There is nothing worse than losing capability before you even step onsite.
Legal Reality... Don't Ignore This
Tools do not mean the same thing everywhere. Some states do not care. Others absolutely do. Places like Mississippi, Nevada, Ohio, Virginia, and especially Tennessee can treat possession of certain tools as intent depending on context. That matters. Because even if you are authorized, you still might have to explain yourself to someone who does not understand what you do. Know the laws where you are operating. Make sure you have a hard copy of your Rules of Engagement and signed Letters of Authorization.
Final Thoughts
The best operators do not carry the most tools. They carry what they need based on what they have observed, and they adjust in real time. They do not force entry when they can walk through it with a smile or a couple cups of coffee. They do not escalate when they can blend in. They do not rely on tools when behavior will get them further. And when they do use tools, it is controlled, intentional, and usually as covert as possible β aka "Invisible" Harry Potter.
A covert entry or red team toolkit is not something you show off. It is not about having the biggest bag, the best "Cat Eyes," or the coolest gear. It is about being effective without being remembered. Light enough to move. Quiet enough to GTFO. Capable enough to matter. Because the real objective is not just getting in. It is proving you did, leaving without anyone noticing you were ever there, and helping clients to see their blind spots.



Share:
Access Log 001: The Rooftop
Access Log 003: Keyloggers and Coffee