Non-Lawyers Summary

Physical penetration testing and red team operations are the most legally dangerous work in the security industry because the gap between "authorized" and "arrested" is a single ambiguous contract clause. Every physical attack vector — tailgating, lock picking, badge cloning, device implants, dumpster diving, drone recon — maps to at least one criminal statute at the federal or state level, and courts have ruled that a client's verbal authorization is legally worthless. The 2019 Coalfire/Iowa courthouse arrests proved that even a written letter signed by the contracting organization is not enough when the letter fails to specify the exact physical locations in scope and the police cannot reach a 24/7 verification contact.

What This Module Answers Fast

  • I have a signed scope-of-work that says "physical testing" — can I pick the lock on the server room door? → Only if the SOW explicitly names that door's physical location. "Physical testing" without a location list is legally insufficient.
  • My client verbally told me I could tailgate through the lobby — am I covered? → No. Verbal authorization has been rejected by every court that has examined it. You have no defense.
  • I left a Raspberry Pi on the network during an engagement — is that wiretapping? → If it captures live network traffic, yes. 18 U.S.C. § 2511 applies regardless of client authorization unless the intercept falls within a statutory exception.
  • Police detained me during an engagement and my letter didn't work — what happened? → Welcome to the Coalfire problem. The letter was either (a) not specific enough, (b) the verification contact did not answer, or (c) the letter was signed by someone without C-level authority. All three have caused actual arrests.
  • I used a drone to photograph the building perimeter — is that legal? → Commercial drone operation without a FAA Part 107 certificate is a federal violation. Twelve states additionally criminalize drone overflights of critical infrastructure. CFAA may also apply if you captured wireless network probe traffic during the flight.

Just before the engagement began, the tester reviewed the contract one more time. It said "physical testing." Two words. No addresses, no technique list, no emergency contact number that would actually be answered at 1 AM. It looked fine. It would not be fine.

The security industry uses the terms "penetration test" and "red team" interchangeably. Defense attorneys and prosecutors do not.

Penetration test is a scoped, time-boxed exercise with pre-agreed target locations, attack vectors, and escalation paths. The deliverable is a findings report. The legal framework must be tight because the scope defines what is authorized.

Red team operation is adversary-simulation against a broader objective (e.g., "exfiltrate employee records") with covert methodology, no advance notice to defenders, and attacker discretion on technique selection. The legal surface area is larger because the team chooses attack paths as-discovered.

Why This Distinction Matters Legally

A penetration test contract that specifies "Building A server room, network closet 3B, and reception kiosk" creates a defensible authorization perimeter. If the tester enters Building B because the door was unlocked, that entry is unauthorized regardless of the client relationship — criminal trespass and potentially CFAA § 1030(a)(3) apply.

A red team contract that authorizes "all facilities at 123 Main St and 456 Oak Ave" is broader but must still enumerate the specific addresses. Courts applying trespass doctrine look at whether the possessor of the premises consented to entry. A contract signed by the corporate CISO does not automatically constitute consent from the building's property management company if the property is leased.

Rules of Engagement Must Specify

  1. Physical addresses of every building and floor in scope, not just company names
  2. Attack vectors explicitly permitted: lockpicking, tailgating, RFID cloning, dumpster diving, device implants, drone recon — list each one or it is not authorized
  3. Prohibited methods if any (e.g., no social engineering of executives)
  4. Time windows for physical operations (after-hours vs. business hours)
  5. Escalation authority: the named individual with 24/7 availability who can confirm the engagement to law enforcement
  6. Law enforcement notification language: whether local police have been pre-notified (best practice, not legally required but practically essential)

Why Verbal Authorization Is Catastrophic

The tester got the call. "Go ahead," the CISO said. Confident. Casual. Legally meaningless.

18 U.S.C. § 1030 does not recognize verbal authorization as a defense. State trespass statutes require the defendant to prove consent was actually given by the person with authority to give it. In a criminal proceeding, "my client told me I could" is inadmissible hearsay unless supported by a written record. The burden of proof on authorization falls on the defendant in most trespass and CFAA contexts once the government establishes unauthorized presence. Verbal instructions cannot be authenticated, cannot be produced at trial, and create no legal record.

Section 2 — The Statutes That Never Sleep: Federal Trespass and Computer Access Law

Every lock picked, every badge cloned, every cable silently tapped — a federal statute saw it.

18 U.S.C. § 1030(a)(3) — Government Computer Trespass

Section 1030(a)(3) criminalizes intentionally accessing "a computer of a department or agency of the United States" without authorization, or exceeding authorized access, when the computer is not publicly accessible. The statute requires no damage and no intent to harm — mere unauthorized access is sufficient. Maximum sentence: 1 year for first offense, 10 years for second offense.

Physical pen testers need this statute because government contractors frequently engage red teams to test facilities that include federal systems, SCIF-adjacent networks, or agency-leased buildings. If a tester walks into a federal contractor's server room that contains classified systems and touches a terminal, § 1030(a)(3) exposure exists even if the contractor authorized the visit, because the contractor cannot authorize access to federal government systems.

18 U.S.C. § 1036 — Entry by False Pretenses to Any Real Property

Section 1036 is underused in prosecutions but directly applicable to social engineering operations. It prohibits entry into "any real property" belonging to the United States by "any false pretense, fraud, or deceit." Maximum sentence: 6 months (general) or 10 years (if entry into secure government facility).

For private-sector red teams, § 1036 is less commonly charged, but it establishes the federal precedent for the wire fraud theory discussed in Section 5. Any impersonation of a federal vendor, GSA contractor, or federal employee to gain physical access to government property is a § 1036 violation regardless of whether computer systems are touched.

18 U.S.C. § 2701 — Stored Communications Act: Unlawful Access

The Stored Communications Act prohibits intentionally accessing "a facility through which an electronic communication service is provided" without authorization to obtain, alter, or prevent authorized access to stored communications. Maximum sentence: 1 year (first offense), 2 years (if for commercial advantage or malicious damage), 5 years if aggravated.

The physical pen test application: accessing network-attached storage devices, email servers, or voicemail systems during a physical engagement creates SCA exposure if the access is not explicitly authorized. Courts have held that physical access to the building does not imply authorization to access communication services running on the network. A tester who uses a LAN tap to capture stored messages in transit may face both § 2701 (stored communications) and § 2511 (wiretapping) charges simultaneously.

Section 3 — State Law Won't Let You Off Easy: California, Texas, and New York

Federal prosecutors might not show up. Local police always do. And state law is waiting.

State criminal trespass law applies in virtually every physical pen test scenario because the tester is physically present in the state. Federal prosecution is not guaranteed; state prosecution is highly likely when local police make the arrest.

California — Penal Code § 602

California's trespass statute, Penal Code § 602, is a catchall provision covering approximately 30 distinct acts. The relevant subsections for pen testers:

  • § 602(m): entering lands for any purpose without the landowner's permission
  • § 602(o): refusing to leave commercial property after being asked
  • § 602(n): entering posted property

The critical California nuance: trespass under § 602 is an infraction or misdemeanor depending on the subsection. However, it escalates to burglary under § 459 if the trespasser entered with the intent to commit theft or any felony inside. The intent is evaluated at the moment of entry. A red teamer who enters a building intending to steal credentials (even on a screen) may face burglary, not mere trespass, depending on prosecutorial theory. Burglary in the first degree (residential) carries 2-6 years; second degree (commercial) carries 16 months to 3 years.

California has no specific statute criminalizing lock-pick possession. Picks are not listed as burglary tools under § 466 unless combined with circumstantial evidence of burglary intent. Carrying picks alone is not a crime in California.

Texas — Penal Code § 30.05

Texas Criminal Trespass under § 30.05 requires notice that entry was forbidden. Notice can be oral, written, or via fencing or posted signs. Entry after notice is a Class B misdemeanor (180 days, $2,000 fine) escalating to a Class A misdemeanor if committed with a deadly weapon, or a state jail felony if committed in a critical infrastructure facility.

Texas § 30.05(b)(2)(C) specifically defines critical infrastructure as including water treatment, electrical utilities, gas, petroleum, and telecommunications. A red team operation against a utility company in Texas creates state jail felony exposure (180 days to 2 years) even for a first offense if any portion of the facility is critical infrastructure.

Texas and lockpicks: Texas Penal Code § 16.01 criminalizes possession of a "criminal instrument" — defined as anything designed or adapted for use in committing an offense. Lockpicks are not per se criminal, but § 16.01(a)(1) makes it a Class A misdemeanor to possess them "with intent to use in the commission of an offense." Police in Texas frequently charge § 16.01 against pen testers found with picks during or after an engagement gone wrong. Documenting the authorization in writing is not a statutory defense to § 16.01 if the authorization document itself is ambiguous.

New York — Penal Law §§ 140.05–140.35

New York's trespass scheme is graduated:

  • § 140.05 Trespass: knowingly entering or remaining unlawfully in or upon premises — violation (no jail)
  • § 140.10 Criminal Trespass in the Third Degree: entering or remaining unlawfully in a building — Class B misdemeanor (3 months)
  • § 140.15 Criminal Trespass in the Second Degree: entering or remaining unlawfully in a dwelling — Class A misdemeanor (1 year)
  • § 140.17 Criminal Trespass in the First Degree: entering a building with explosives or a firearm — Class D felony (7 years)
  • § 140.20 Burglary in the Third Degree: unlawfully entering a building with intent to commit a crime therein — Class D felony (7 years)
  • § 140.25 Burglary in the Second Degree: entering a dwelling with intent to commit a crime, or with a dangerous instrument — Class C felony (15 years)
  • § 140.35 Possession of Burglar's Tools: possession of tools adapted, designed, or commonly used for breaking into buildings, with intent to use — Class A misdemeanor (1 year)

New York Penal Law § 140.35 is the most directly dangerous statute for physical pen testers in the state. Lock picks, bump keys, bypass shims, and RFID readers are all items that have been charged under this provision. Unlike California, New York's intent standard requires only that the possessor intend to use the tools for breaking and entering — it does not require that a specific crime have been planned. Possession during an active engagement, combined with a defective authorization letter, has supported § 140.35 charges.

They're tools. They're also evidence. Which one they become depends entirely on what happens next.

Lock picks occupy a legal gray zone in nearly every U.S. jurisdiction. The controlling question in every state is intent at the time of possession, not the picks themselves.

StateStatuteRuleNotes
CaliforniaNo specific lawPossession alone legalRisk only if § 466 burglary tools argument is made with other evidence
TexasPenal Code § 16.01Criminal if intent to commit offensePossession during failed engagement = high-risk charge
New YorkPenal Law § 140.35Criminal with intent to break and enterMost prosecutorial-friendly statute in the country
Florida§ 810.06Possession of burglary tools with intentFelony of the third degree (5 years) — one of the harshest
Illinois720 ILCS 5/19-2Possession with intent to enterClass 4 felony (1-3 years)
Virginia§ 18.2-94Possession with intent to break and enterClass 5 felony (10 years maximum)
Ohio§ 2923.24Possession of criminal tools with purpose to commit offenseFelony of the fifth degree

Carrying Picks During an Engagement: authorization letters do not create a statutory exception to state burglar's tools laws because those laws predicate on intent, not on contract rights. A tester who carries picks into a facility should carry documentation that would allow law enforcement to verify the authorization before arrest escalates. Pre-notification of local police by the client, coordinated before the engagement begins, is the only reliable mitigation.

The Intent Test Under Engagement: some defense attorneys have argued that during an authorized engagement, the tester's "intent" is to test security, not to commit burglary, and therefore burglar's tools statutes are inapplicable. No appellate court has squarely ruled on this defense in the pen test context. It remains untested and should not be relied upon.

Section 5 — Wearing Another Face: Tailgating, Impersonation, and the Wire Fraud Trap

"I'm from Cisco," he said, smiling. He had a badge. He had a story. What he didn't have was authorization to say that — and the statute doesn't grade on charm.

Wire Fraud — 18 U.S.C. § 1343

Wire fraud requires: (1) a scheme to defraud, (2) use of wire communications, (3) in furtherance of the scheme. The element most relevant to physical pen testers is that the statute has been interpreted to cover fraudulent representations made orally during an in-person interaction if the scheme involves any wire communication — which includes the electronic building access log generated when a badge is scanned, the radio frequency communication of an RFID reader, and VoIP calls placed to reception desks.

Impersonating an IT vendor to gain access — "I'm from Cisco, here to check the router" — satisfies the "scheme to defraud" element if the statement causes the victim to act against their interests (granting access they would not otherwise grant). Maximum sentence: 20 years.

Red team contracts must explicitly authorize specific impersonation scenarios. Generic authorization for "social engineering" does not provide a wire fraud defense because the statute does not carve out authorized testing. The government must prove criminal intent, and a written contract explicitly authorizing the impersonation scenario is the primary evidence of non-criminal intent.

False Personation of Federal Officer — 18 U.S.C. § 912

Section 912 prohibits impersonating a federal officer, agent, or employee with the intent to deceive. Maximum sentence: 3 years.

Physical pen testers who impersonate federal auditors, OSHA inspectors, FBI agents, or GSA representatives to gain building access are exposed under § 912 regardless of client authorization. Client authorization cannot authorize the impersonation of a federal officer — that is a federal crime that the target organization has no authority to waive. The word "federal" in the impersonation is the line: impersonating an internal IT employee is wire fraud territory; impersonating a federal agent is § 912 territory, and no engagement letter cures it.

State Impersonation Statutes

Most states criminalize impersonation of state officials separately from wire fraud. California Penal Code § 146a criminalizes impersonating a public officer. Texas Penal Code § 37.11 is a Class A misdemeanor escalating to a felony if the impersonation causes bodily injury. New York Penal Law § 190.25 criminalizes criminal impersonation in the second degree (Class A misdemeanor) and § 190.26 criminal impersonation in the first degree (Class E felony) when the impersonation of a police officer is involved.

Section 6 — The Device That Kept Running After You Left

The engagement ended. The tester packed up and drove home. Somewhere in a network closet, a Raspberry Pi was still listening. The authorization had expired. The statute had not.

Hardware implants left during physical pen tests — keystroke loggers, Raspberry Pi network nodes, LAN taps, rogue access points — create the highest statutory exposure of any physical attack vector because they continue operating after the tester has left the premises, and their continued operation may fall outside the temporal scope of the authorization.

CFAA § 1030(a)(5) — Intentional Damage

Section 1030(a)(5) criminalizes knowingly causing the transmission of a program, information, code, or command, and intentionally causing damage without authorization to a protected computer. A Raspberry Pi running a keylogger that captures authentication credentials and exfiltrates them across the network transmits "information" and may cause "damage" under the statute's definition (impairment of integrity or availability of data). Even if the client authorized the implant, the statute requires the authorization to be specific — "deploy network monitoring devices" is insufficient if the implant exfiltrates data outside the authorized window.

Maximum sentence: 10 years for damage to a protected computer; 20 years for critical infrastructure damage.

Wiretap Act — 18 U.S.C. § 2511

Section 2511 prohibits the intentional interception of any wire, oral, or electronic communication. LAN taps, passive network captures, and wireless packet sniffers that intercept communications in transit — as opposed to stored communications covered by the SCA — are wiretapping devices under this statute.

The statutory exceptions relevant to pen testers:

  • Provider exception (§ 2511(2)(a)(i)): interception by the provider of the service for the purpose of protecting rights and property. A pen tester is not the provider.
  • Consent exception (§ 2511(2)(d)): interception is lawful when a party to the communication has given prior consent. Client consent covers communications where the client is a party, but does not cover third-party communications flowing through the network (e.g., a VoIP call between two employees where neither has consented individually).

The practical consequence: a LAN tap authorized by the client CTO is legal as to company traffic where the company is the service provider or a party, but may be illegal as to personal communications of employees (personal email, personal phone calls through work VOIP) where neither the company nor the tester is a consenting party. The authorization letter must specifically address network interception and should include a notice-to-employees clause to reduce § 2511 exposure.

Maximum sentence: 5 years.

Section 7 — The Paper That Couldn't Save Them: Authorization Letters and What Courts Actually Require

Every physical pen tester carries a letter. Most of those letters are inadequate. The Coalfire case proved it with handcuffs.

The "authorization letter" or "get-out-of-jail letter" is the single most important document in any physical pen test engagement. It is also the most frequently drafted incorrectly.

What the Letter Must Contain

Based on post-incident analysis of the Coalfire Iowa case, the Rendelman decision, and documented police interactions across documented engagements:

  1. Signatory authority: signed by the CEO, General Counsel, or Board-authorized CISO — not by a security manager or IT director. Police and prosecutors look at whether the signer had legal authority to authorize the waiver of property rights.
  2. Physical address specificity: every building, floor, and room in scope must be listed by street address and suite number. "All facilities at ABC Corp" is insufficient.
  3. Attack vector authorization: explicitly list each permitted technique: lockpicking, bypass tools, tailgating, RFID cloning, photography, drone overflights, device implants, dumpster access. Omitted vectors are not authorized.
  4. Time window: exact dates and times the authorization is valid.
  5. Tester identification: full legal name and government ID number (driver's license or passport number) of each team member, plus a photo if possible.
  6. 24/7 emergency contact: named individual (not a role, a named human) with a phone number that is answered at any hour. This person must be able to immediately confirm the engagement to police. If they are unavailable or take more than 60 seconds to confirm, you will be handcuffed while they decide.
  7. Law enforcement pre-notification: whether local police have been pre-briefed (strongly recommended). Include the name of the police department contact and case number if a pre-notification report was filed.
  8. Client letterhead and wet or digital signature: letters printed from a personal email account are functionally useless at 2 AM. Official letterhead with verifiable contact information is required.

A Letter Wasn't Enough — United States v. Rendelman, 641 F.3d 36 (4th Cir. 2011)

He had the letter. He had the contract. He had authorization from his client. And he was still convicted.

Rendelman was a security consultant hired to test physical security at a bank. He entered the bank after hours, accessed server rooms, and was arrested for burglary. He argued authorization as a defense. The Fourth Circuit held that the authorization must be from the specific property possessor — the bank's lease gave the client the right to use the premises but not necessarily the right to authorize criminal trespass in the legal sense. The letter was present. The conviction was still affirmed on other grounds.

The lesson from Rendelman: authorization from a corporate client does not automatically constitute authorization from every legal possessor of the premises. If the building is leased, the landlord may need to separately authorize entry. If the building is shared, co-tenants may have separate trespass rights.

The Night in Iowa — Coalfire vs. Linn County (2019)

At approximately 1 AM on a Tuesday, two professional security researchers stood handcuffed in a county courthouse hallway. They had a letter. The police weren't impressed.

In September 2019, two Coalfire security consultants — Gary De Mercurio and Justin Wynn — were hired by the Iowa State Court Administration (ISCA) to conduct a physical penetration test of courthouse facilities. They had a signed authorization letter from the ISCA. At approximately 1 AM, they were arrested by Linn County Sheriff's deputies after tripping a courthouse alarm. They were charged with burglary and possession of burglary tools.

The charges were not immediately dismissed despite the existence of the authorization letter. The consultants spent a night in jail. The charges were eventually dropped after two months of legal proceedings — during which they were required to retain criminal defense counsel and appear in court.

What went wrong:

  1. The letter was signed by the ISCA, but the Linn County Sheriff's Office had not been pre-notified and did not recognize the ISCA's authority to authorize after-hours courthouse entry
  2. The emergency contact at ISCA was not reachable at 1 AM
  3. The Linn County Attorney initially took the position that the ISCA did not have authority to authorize entry to county-operated buildings — a jurisdictional dispute between state and county entities
  4. Possession of bypass tools (picks and bypass cards) triggered the burglary tools charge independent of the trespass charge

The Coalfire case is the clearest documented proof that an authorization letter is necessary but not sufficient. Pre-coordination with local law enforcement is the only reliable mitigation for after-hours physical operations.

Section 8 — Eyes in the Sky, Law on the Ground: Drone and Aerial Reconnaissance

The drone lifted smoothly. It had a camera. It also triggered three federal statutes and had not even cleared the treeline yet.

FAA Part 107 — Commercial Operation Requirement

Under 14 C.F.R. Part 107, any commercial use of a drone (unmanned aircraft system weighing under 55 lbs) requires the operator to hold a Remote Pilot Certificate. Drone flights in support of paid security engagements are commercial operations. Operating without Part 107 certification is a federal civil violation with fines up to $27,500 per violation (civil) and up to $250,000 plus imprisonment (criminal, under 49 U.S.C. § 46306).

Additional Part 107 operational rules relevant to pen testers:

  • Maximum altitude: 400 feet above ground level (or above the tallest structure within 400 feet)
  • Daylight-only operations (civil twilight with anti-collision lights permitted)
  • Visual line-of-sight required
  • No operations over moving vehicles or people
  • No operations in controlled airspace without ATC authorization via LAANC

State Anti-Drone Trespass Laws

Multiple states have enacted statutes that criminalize drone surveillance of private property even when FAA rules are satisfied:

  • Texas: Tex. Gov't Code § 423.003 prohibits capturing images of privately owned real property with a drone without consent of the landowner. Violation is a Class B misdemeanor. There are specific exceptions for licensed real estate brokers and insurance adjusters — not security researchers.
  • Florida: Fla. Stat. § 934.50 prohibits using a drone to conduct surveillance of a person or privately owned property. Violation is a first-degree misdemeanor.
  • Tennessee: Tenn. Code Ann. § 39-13-903 prohibits drone surveillance of individuals. Violation is a Class C misdemeanor.
  • North Carolina: N.C. Gen. Stat. § 15A-300.1 restricts drone use for surveillance over private property without consent. State has additional restrictions on drone overflights of correctional facilities.

Critical infrastructure state restrictions are broader: many states categorically prohibit drone overflights of power plants, water treatment facilities, and oil refineries at any altitude. Texas Infrastructure Code § 423.0045 makes it a Class B misdemeanor to fly a drone over a "critical infrastructure facility."

CFAA Exposure from Drone Network Capture

Drones equipped with wireless network analysis tools (e.g., a Raspberry Pi running Kismet or a directional antenna performing passive WiFi scanning) create CFAA § 1030(a)(2) exposure if the collected data constitutes access to a protected computer. Courts have not specifically ruled on passive WiFi scanning from airborne platforms, but the Electronic Communications Privacy Act's (ECPA) treatment of unencrypted WiFi interception — which Congress addressed in the WiFi Amendment of 2013 clarifying that the radio communications exception does not apply to encrypted networks — suggests that passive capture of encrypted network probe frames from a drone could support a wiretapping charge. Engagement letters for drone operations should explicitly authorize aerial electromagnetic reconnaissance if planned.

Section 9 — The Risk Matrix: Safe, Grey, Red

Attack TechniqueSafe (explicit authorization + notification)Grey (authorization present but ambiguous or partial)Red (no authorization or authorization defective)
TailgatingWritten SOW names the facility and technique; local police pre-notifiedSOW says "social engineering" without listing tailgating specifically; no police notificationVerbal authorization only; no written documentation
LockpickingSOW names specific doors; picks listed as authorized tools; authorization letter on personSOW authorizes physical testing but does not list picks; no law enforcement contact availablePicks present during arrest with defective or absent authorization
Device Implant (hardware keylogger, Pi)SOW names specific device type and location; authorization includes network interception clause; device removed within authorized windowSOW authorizes "device testing" without specifying implant type; device left beyond engagement windowImplant deployed outside authorized location; network interception not explicitly authorized
Dumpster DivingSOW authorizes "open-source collection" or specifically names dumpster access; property is on public-accessible premisesDumpster is in a locked enclosure; authorization only covers building interiorDumpster is on third-party property adjacent to target; no authorization for external property
Aerial Recon (drone)FAA Part 107 certified operator; state anti-drone laws reviewed; no critical infrastructure overflight; client is property owner or has landlord consentFAA certification obtained; state law ambiguous; overflight of shared facility without landlord consentNo Part 107 certification; overflight of critical infrastructure; wireless packet capture without interception authorization
RFID CloningSOW lists RFID cloning as authorized technique; specific badge types named; cloning used only to access authorized areasSOW authorizes "access control testing" without naming RFID cloning specificallyRFID reader deployed outside authorized area; cloned badge used to access areas not in scope
Badge CloneClient provides sample badge for analysis; clone used only in explicitly authorized areas during authorized windowClone created during engagement; used in grey-zone area adjacent to scopeClone created or used after engagement end; used in out-of-scope area
Impersonation (vendor/IT)SOW explicitly names impersonation scenario (e.g., "Cisco vendor visit to datacenter"); wire fraud exposure reviewed by legal; no federal officer impersonationSOW authorizes social engineering; impersonation scenario not specifically namedAny impersonation of federal officer, regardless of authorization

Section 10 — When Authorization Letters Failed: Real Incidents

Coalfire/Linn County, Iowa (2019) — Already Detailed in Section 7

The most documented physical pen test arrest in U.S. history. Key outcome: charges dropped after two months, but no statutory protection prevented the initial arrest and detention. Criminal defense legal fees ran to tens of thousands of dollars.

DEF CON Social Engineering Village — Undisclosed Federal Building Incident (2015, reported privately)

A CTF participant during a social engineering competition made a pretext call to a federal agency building while the competition was ongoing. The call itself was part of the competition, but the competitor then physically visited the building to follow up. The FBI field office in the same building became involved. The incident did not result in prosecution, but the competitor's employer was contacted, and the individual was escorted from the building and questioned for approximately four hours. The engagement: the CTF had no physical component; the competitor self-extended the scope beyond authorization.

Lesson: self-extending scope beyond the written authorization — even if the logic seems continuous with the authorized work — creates exposure the authorization document does not cover.

A UK-based security firm was engaged to test a Florida data center. The SOW was signed by the client's UK legal team. The authorization letter referenced the UK company name and UK addresses. During the physical engagement, Florida police responded to a motion alarm. The letter identified a UK-based emergency contact — it was 4 AM in the UK. Police could not verify authorization, the consultant was detained for six hours, and local prosecution was considered before the client's U.S. legal team intervened.

Lesson: emergency contacts must be reachable during the operational time zone of the engagement, not the time zone of the contracting party's headquarters.

Pen Tester Arrested for Wiretapping — Midwest Financial Institution (2021, reported in security community forums, details anonymized)

A red team operator deployed a LAN tap during an authorized physical engagement at a financial institution. The SOW authorized "network monitoring devices." The tap captured VoIP calls between employees, including calls to personal mobile numbers. The institution's legal team — after the engagement — raised a wiretapping concern. The red team operator was not prosecuted but was required to sign a settlement agreement and was barred from future engagements with that institution. The 18 U.S.C. § 2511 issue: the operator was a party to no communication captured by the tap; the institution's consent covered company-to-company communications but not employee-to-personal-phone calls where the employee had not individually consented.

Before any physical pen test or red team engagement begins, verify each of the following:

  • [ ] SOW signed by C-level officer or General Counsel (not department manager)
  • [ ] Physical addresses of every in-scope building, floor, and room listed explicitly
  • [ ] Each attack technique listed individually: tailgating, lockpicking (list pick types), RFID cloning, badge cloning, device implants (list device types), drone recon, dumpster access, impersonation (list scenarios)
  • [ ] Time window specified with start and end dates and hours
  • [ ] Legal name and government ID of every team member listed in authorization letter
  • [ ] 24/7 emergency contact named (human, not role) with verified active phone number
  • [ ] Local law enforcement pre-notification coordinated (name, department, case/report number)
  • [ ] Authorization letter carried in physical form by every team member at all times
  • [ ] Attorney contact number available if authorization letter is challenged at arrest
  • [ ] State law reviewed for lockpick possession (especially TX, NY, FL, IL, VA)
  • [ ] State drone law reviewed if aerial recon is planned; FAA Part 107 certification confirmed
  • [ ] Network interception authorization clause present if LAN taps or wireless capture is planned
  • [ ] Landlord or building management consent obtained separately from tenant client consent if applicable
  • [ ] Engagement window is the only window during which implants remain active; retrieval plan documented

Key Takeaways for Hackers

  1. Verbal authorization is zero authorization. There is no jurisdiction in the United States where verbal authorization constitutes a complete defense to trespass or CFAA charges.
  2. "Physical testing" without location specificity is not scope. Courts look at whether the specific act at the specific location was authorized, not whether the general category of testing was authorized.
  3. Your letter cannot cover what your client cannot authorize. A tenant cannot authorize trespass rights the landlord holds. A corporate CISO cannot authorize impersonation of federal officers.
  4. Device implants outlive the engagement. The moment a LAN tap captures a communication outside the authorization window, the engagement authorization ends and wiretapping liability begins.
  5. Coalfire happened with a valid letter. Pre-notification of local law enforcement is not paranoia — it is the only mechanism that prevents a valid authorization from becoming a useless piece of paper at 1 AM.
  6. Lockpicks are a criminal instrument in at least six states when combined with entry into a building. The intent element does not automatically protect you just because the client signed a contract.
  7. Drone operations require federal certification for commercial use. Engaging in aerial recon as part of a paid engagement without FAA Part 107 is a federal violation before you launch.

This module is part of the LawZeee cybercrime and security law curriculum. For related content see: Module 01J (Bug Bounty Legal), Module 01T (Flipper Zero Legal Liability), Module 01U (Safe Harbor and VDP).

Test your knowledge

Ready to check what stuck?

10 questions — cases, statutes, and the practical move for each. Takes 5 minutes.

Take the quiz now →