Recycle bins, pest-control sprayers, and other non-tech ways to breach security

Next time you see someone at your company with a recycle bin, maybe check their ID.

Former pen tester and red teamer Jake Williams said he once spraypainted a data-destruction company’s name on a wheeled trash can from Home Depot. From there, he went to an organization’s front door and said something to the effect of, “We’re here to shred your sensitive documents.”

And the ruse worked.

Penetration testers, abbreviated to pen testers, are often hired by companies to simulate cyberattacks—and to see how well the company holds up to adversarial tactics. Red teamers like Williams serve a similar role, often looking comprehensively at a client organization’s defenses rather than focusing on specific vulnerabilities. Whatever their role, sometimes a hack requires a humble trash can, clipboard, or other, everyday object.

“We are talking super low-tech here, right? But look, people are wired to want to help people. We’re wired to believe that things are as they seem,” Williams, faculty at IANS Research and VP of R&D at cybersecurity company Hunter Strategy, said, recalling his time red teaming and pen testing at Rendition Infosec, where he was CTO from 2013 to 2021.

Physical-access testers past and present spoke with IT Brew about the low tech they’ve used to gain high levels of access. Are our adversaries doing the same?

Pest in show. Zach Varnell, currently security consulting lead at web app pen-testing firm Asteros, seems to know where to find a Home Depot when necessary, too. On a former red-team engagement more than a decade ago, he said, a team member filled a pest-control canister with water and began spraying the grass outside, taking his time so everyone inside noticed. Moments later, the colleague went to a side door, asking to be let in. The company’s employees were hesitant, Varnell recalls—at first.

“Then he was like, ‘Well, I’m here to spray for black widows,’” he said.

Access granted!

While Varnell’s co-conspirator finished the fake spraying job, he left and held the door open for Varnell, who played the part of an intern. Instead of performing typical trainee tasks, though, he placed keystroke loggers (tools used to capture what someone’s typing, including passwords) into computers.

Physics 101. Physical attacks—“deliberate threats that involve proximity, possession or force”—are not extremely popular hacker tactics. After all, who doesn’t love working remotely? Cyberattacks continue to be a leading attack vector; according to a July report from the Identity Theft Resource Center (ITRC), 1,348 cyberattacks led to data breaches during H1 2025.

The ITRC calculated 34 “physical attacks”—a small amount by comparison, but a slight increase from the 33 physical attacks tallied in all of 2024. (The report did not specify how many real-world attacks used fake pesticides.)

Who’s hiring these impersonators? Michael Welch, managing director and CISO at professional-services firm MorganFranklin Cyber, has seen organizations such as manufacturers hire red teamers to test the security of their own infrastructure and on-prem technology.

Some clients need the tests for compliance purposes, according to Welch, to meet standards like CMMC for defense contractors and HIPAA for healthcare pros, and to demonstrate proof of effective physical controls.

Physical attacks need somebody to be there, which takes resources, and may dissuade the average adversary on the other side of the world who can hack from home. Still, the red-team tests are important, Welch emphasized.

“You can’t just say, ‘Well, it’s small, so we’re going to ignore it.’ That just wouldn’t be good business sense. It’s not good risk management,” he said.

While Williams said nation-state adversaries will likely avoid physical attacks because of the high risk of getting caught, he has worked with clients who’ve discovered implanted listening devices in their environments.

As a hired pen tester, Williams has gained entry and placed small computers into open network jacks; the placement creates an endpoint on the network, which he can potentially connect to and perform malicious activity if network defenses are not in place. He has also grabbed small-form-factor computers—perhaps lacking full-disk encryption—left out in the open. Behind all the costumes, props, and impersonations, a red-team exercise is really about seeing how a company holds up on a real trash day.

“As CISO, as a network defender as well, you’re able to look and say, ‘Do my cybersecurity controls just collapse once somebody physically is inside one of our facilities?’” Williams said.