Closed-Circuit Television

The subject enumerates organizational CCTV coverage through physical reconnaissance, network-based probing, or a combination of both. This behavior aims to identify surveillance blind spots, coverage patterns, and system weaknesses in order to plan insider activity such as unauthorized entry, covert data removal, or sabotage.

• Physical enumeration involves walking routes to observe camera placement, photographing or sketching locations, and identifying fields of view, blind spots, or coverage overlaps. Subjects may test movement within blind zones or note environmental features (e.g., pillars, furniture) that obstruct visibility.

• Network enumeration targets digital surveillance systems, including IP cameras, DVRs, NVRs, and PoE switches. Subjects may scan for active devices, query configurations, or attempt login with default credentials to discover camera IPs, firmware details, and accessible streams.

When combined, physical and network enumeration provide a sophisticated map of surveillance infrastructure. For example, a subject may confirm camera placement through on-site observation, then validate viewing angles and live coverage zones by remotely accessing the corresponding camera feeds across the network. This dual approach allows the subject to identify exact surveillance gaps, test whether specific areas are monitored, and plan movement or concealment with high confidence.

This behavior is a strong indicator of deliberate preparation, as it requires technical effort, situational awareness, and intent to circumvent organizational surveillance.

A subject attempts to defeat physical security controls by smuggling an item (potentially an innocent item at first) into a controlled area to facilitate an infringement (such as a smart phone with a camera).

A subject attempts to defeat physical security controls to gain access to a secured area to conduct an infringement.

Exfiltration via media capture refers to the extraction of sensitive information through the recording of visual or auditory content using capture mechanisms that operate outside organizational control. This includes the use of external devices, embedded system tools, or third-party applications to record screens, documents, or conversations and convert them into transferable media formats such as images, video, audio, or structured transcripts.

This category is defined not by the type of data being accessed, but by the method of extraction, specifically, the transformation of information into captured media in order to bypass conventional monitoring and control mechanisms. In these scenarios, the subject does not transfer files or data through approved or monitored channels. Instead, they reproduce the information in an alternate form that can be removed without generating traditional indicators of exfiltration.

Media capture techniques are particularly effective in environments where digital controls are mature, such as strong data loss prevention (DLP), restricted file transfer mechanisms, or monitored endpoints. As these controls limit conventional exfiltration paths, subjects may shift toward out-of-band capture methods that operate beyond system visibility.

This behavior may be opportunistic or deliberate. In lower-control environments, subjects may casually capture information with minimal consideration of detection. In higher-control environments, the use of media capture may indicate awareness of monitoring capabilities and an intentional effort to circumvent them. In both cases, the technique exploits a fundamental gap between information exposure and information control, once data is visible or spoken, it becomes inherently difficult to contain.

Media capture also varies in its execution and detectability. Some techniques are rapid and discrete, such as still photography, while others involve sustained collection, such as video recording or continuous audio capture.

From an investigative perspective, this section represents a class of behaviors where traditional telemetry is limited or absent. Detection often relies on indirect indicators, environmental controls, or post-event analysis of leaked material. As a result, prevention and deterrence play a critical role, particularly through physical controls, policy enforcement, and attribution mechanisms such as watermarking.

This section is closely related to broader data loss behaviors, but is distinct in its reliance on out-of-band capture methods rather than direct data transfer .

A subject may exfiltrate data via a physical medium, such as a removable drive.

A subject can capture photos, videos and/or audio with an external device, such as taking photos of a screen, documents, or their surroundings.

A subject makes comments either in-person or online that can damage the organization's brand through association.

A subject exfiltrates information by printing it to paper or other physical medium.

A subject may remove attached disk storage from a system to deny investigators access to the files stored within it.

A subject may destroy or otherwise impair physical storage media such as hard drives to prevent them from being analyzed.

A subject removes the physical disk of a target system to access the target file system with an external device/system.

A subject holds access to both physical and digital assets that can enable insider activity. This includes systems such as databases, cloud platforms, and internal applications, as well as physical environments like secure office spaces, data centers, or research facilities. When a subject has access to sensitive data or systems—especially with broad or elevated privileges—they present an increased risk of unauthorized activity.

Subjects in roles with administrative rights, technical responsibilities, or senior authority often have the ability to bypass controls, retrieve restricted information, or operate in areas with limited oversight. Even standard user access, if misused, can facilitate data exfiltration, manipulation, or operational disruption. Weak access controls—such as excessive permissions, lack of segmentation, shared credentials, or infrequent reviews—further compound this risk by enabling subjects to exploit access paths that should otherwise be limited or monitored.

Furthermore, subjects with privileged or strategic access may be more likely to be targeted for recruitment by external parties to exploit their position. This can include coercion, bribery, or social engineering designed to turn a trusted insider into an active participant in malicious activities.

A subject steals an item or items belonging to an organization, such as a corporate laptop or corporate mobile phone.

The subject deliberately adopts or fabricates an identity—visually, digitally, or procedurally—to gain access, mislead stakeholders, or enable a planned insider event. Impersonation may occur in physical environments (e.g., unauthorized use of uniforms or cloned ID cards), digital platforms (e.g., email aliases or collaboration tools), or human interactions (e.g., job interviews). These behaviors typically precede unauthorized access, credential misuse, sabotage, or data exfiltration, and may allow subjects to operate without attribution or delay detection.

Impersonation is a high-risk preparatory behavior that often precedes direct misuse of trust. By assuming a false identity or misrepresenting role, authority, or affiliation, the subject gains unauthorized access or influence—without triggering traditional insider threat controls.

The subject causes interruptions, degradation, or instability in organizational systems, processes, or data flows that impair day‑to‑day operations and affect availability, integrity, or service continuity. This category encompasses non‑exfiltrative and non‑theft forms of disruption, distinct from data exfiltration or malware aimed at permanent destruction.

Disruptive actions may include misuse of administrative tools, intentional misconfiguration, suppression of services, logic interference, dependency tampering, or selective disabling of critical functions. The objective is operational impact; slowing, blocking, or misrouting workflows, rather than data removal or theft.

The subject uses an external recording device, such as a personal mobile phone, tablet, wearable camera, or dedicated camera, to capture photographs, video, or audio of sensitive information displayed or stored within the organization’s environment.

This method is commonly used to collect information from computer screens, whiteboards, printed documents, internal dashboards, source code repositories, financial records, or physical access areas. The subject may position the device discreetly to photograph multiple screens, record walkthroughs of restricted areas, or document proprietary material during meetings or presentations.

A subject deploys a hardware-based remote access device, typically an IP-KVM (Keyboard, Video, Mouse over IP) system, to remotely interact with a workstation or server through its physical interfaces.

These devices connect directly to the system’s video output (HDMI or DisplayPort) and USB ports, capturing the display signal while injecting keyboard and mouse input remotely. The device presents itself to the operating system as standard USB Human Interface Devices (HID), such as a generic keyboard and mouse, allowing the subject to interact with the system as though physically present at the console.

Because the interaction occurs through physical interface emulation rather than installed software, activity generated through the device appears as local console input to the operating system. This can bypass controls designed to detect or restrict software-based remote access tools such as Remote Desktop Protocol (RDP) or third-party remote administration platforms.

Many IP-KVM devices provide independent network connectivity, including Ethernet, Wi-Fi, or cellular access, allowing the subject to maintain remote interaction with the system through an external management interface. When used in this manner, the remote session may not traverse corporate remote access infrastructure or generate conventional remote access/network logs.

While these devices have legitimate uses in system administration, hardware labs, and data center environments, a subject may deploy them covertly to maintain persistent remote access to a system without installing software or triggering typical remote access monitoring or network controls.

Within the Insider Threat Matrix, this behavior represents preparatory activity, as it establishes a covert remote control capability that may later enable unauthorized access, data exfiltration, or system manipulation.

A subject operates in an environment where non-corporate, unmanaged devices can be introduced, carried, or used within organizational premises without effective restriction, monitoring, or control. These devices may include personal laptops, removable media, mobile phones, or small-form hardware capable of storage, processing, or network connectivity. Unlike sanctioned Bring Your Own Device (BYOD) arrangements, this condition exists outside formal governance, with no enforced linkage between the device and the subject's identity or role.

The presence of unmanaged devices establishes a persistent and unmonitored means through which a subject may bypass established security controls. This includes enabling offline data collection, covert data exfiltration, unauthorized recording, or the introduction of rogue systems. It also supports preparatory activity, such as staging data for removal or facilitating external interaction beyond controlled organizational channels.

A subject uses native mobile text messaging services, specifically Short Message Service (SMS) and Multimedia Messaging Service (MMS), to transmit sensitive organizational data to an external recipient. This behaviour enables data exfiltration through telecom-based channels that operate outside standard enterprise monitoring, logging, and data loss prevention controls.

Exfiltration via SMS is generally constrained to low-volume, text-based data such as credentials, contact lists, internal identifiers, or short excerpts of sensitive content. MMS expands this capability by allowing the transmission of images, screenshots, audio, or video, enabling higher-density data transfer including photographs or recordings of sensitive systems, documents, or physical environments.

The use of telecom-based messaging for data exfiltration presents significant investigative challenges. Evidence is frequently limited to device-level artifacts or external carrier records, which may be difficult to obtain. As such, this behaviour represents a high-risk exfiltration vector due to its low detectability, minimal technical barriers, and ability to bypass established security controls.

A subject deliberately enters or remains within a physical area as a trespasser, knowing they are not authorized to be present, where that presence alone creates a credible risk of harm to the organization.

This infringement applies where the subject bypasses, ignores, or circumvents defined physical access restrictions, and where mere presence within the environment exposes sensitive assets, information, or operational context. In these cases, harm does not depend on further action; the subject's unauthorized proximity is sufficient.

Qualifying environments include areas where sensitive material is inherently exposed through observation or presence, such as:

• Product development labs containing unreleased intellectual property
• Executive or legal meeting spaces handling confidential matters
• Security operations environments during active incidents
• Locations where credentials, systems, or regulated data are visible without additional access steps

The defining characteristic is that the subject is present as a trespasser, not through error, misassignment, or legitimate overlap of duties. The subject understands the boundary and crosses it regardless.

The subject gathers sensitive, restricted, or operationally relevant information by observing others as they perform tasks, access systems, or handle data. This behavior allows the subject to obtain knowledge that is not formally available to them through their assigned role, access permissions, or authorized channels.

Observation may occur in both covert and overt forms, and the boundary between the two is often fluid.

Covert observation involves the subject acquiring information without the awareness of the observed individual. This includes:

• Viewing credentials as they are entered (shoulder-surfing)
• Observing screen content from adjacent or rear positions
• Using reflections, positioning, or timing to capture sensitive data
• Repeated proximity during authentication or system interaction events

Overt observation involves the subject obtaining information through socially facilitated or procedural means, often under a legitimate or benign pretext. This includes:

• Requesting demonstrations of systems or workflows outside their role requirements
• Asking colleagues to walk through processes involving sensitive data or privileged actions
• Positioning themselves as curious, collaborative, or in training to gain visibility
• Attending or inserting themselves into activities without a defined business need

The information gathered may include:

• Authentication credentials or authentication patterns
• System navigation paths and access points
• Sensitive datasets or document locations
• Operational procedures, controls, or workarounds

This behavior serves as a foundational preparatory technique, supporting a wide range of downstream actions including unauthorized access, impersonation, data exfiltration, or policy circumvention.

A subject physically interferes with organizational equipment, infrastructure, facilities, or operational assets with the intent to cause damage, disruption, degradation, outage, safety risk, or loss of service. This infringement includes direct physical actions against systems or supporting infrastructure, such as disconnecting cables, interrupting power, damaging equipment, or impairing facility services required for normal operations.

A subject records sensitive information by capturing video using an external device, such as a personal mobile phone or standalone camera. This behavior typically involves filming screens, documents, or physical environments where sensitive information is displayed or discussed.

Unlike software-based screen recording or screenshot tools, this method operates outside corporate control boundaries. The capture process occurs entirely outside the monitored endpoint, bypassing data loss prevention (DLP), endpoint detection, and audit logging mechanisms.

This technique is commonly observed in controlled environments where digital exfiltration is restricted or heavily monitored. It may be opportunistic (such as quickly recording a screen) or deliberate, involving repeated capture of large volumes of information over time. The use of an external device can indicate subject awareness of monitoring controls and an intent to avoid traceable data transfer.

A subject captures sensitive information by taking still images using an external device, most commonly a personal mobile phone. This typically involves photographing screens, printed documents, whiteboards, or other visual representations of sensitive data within the organization’s environment.

Unlike video capture, photography enables rapid, low-friction extraction of discrete information with minimal dwell time. A subject can capture high volumes of content in short bursts without sustained or conspicuous behavior, making this technique particularly effective in environments with physical proximity to sensitive material but strong digital controls.

This method often operates entirely outside controlled systems and therefore bypasses endpoint monitoring, data loss prevention (DLP), and network-based detection mechanisms. It is frequently opportunistic, occurring during routine access to sensitive information, but may also be deliberate, such as systematically photographing documents, screens, or workflows over time.

Photography-based exfiltration is especially prevalent in environments where:

• Sensitive data is visually accessible (e.g., call centers, trading floors, development environments)
  Physical device controls are weak or inconsistently enforced
  Subjects have legitimate access but limited ability to export data digitally

The presence of this behavior may indicate awareness of monitoring controls or a preference for low-risk, low-detectability exfiltration methods.

A subject captures sensitive information by recording audio using an external device, most commonly a personal mobile phone or wearable device. This typically involves recording conversations, meetings, phone calls, or ambient discussions where sensitive information is disclosed verbally.

Unlike visual capture techniques, audio capture does not require direct interaction with systems or documents. It enables the subject to collect information passively, often without needing to position a device toward a specific target. As a result, this method can be sustained over longer periods with reduced risk of detection, particularly in collaborative or discussion-heavy environments.

This technique operates entirely outside corporate monitoring controls, bypassing endpoint telemetry, data loss prevention (DLP), and access logging. It is particularly effective in environments where sensitive information is frequently communicated verbally, including meetings, support operations, incident response discussions, executive briefings, and informal conversations between colleagues.

Audio capture is often deliberate, as it requires forethought to record and later process the information. However, it may also be opportunistic, especially where subjects are routinely exposed to sensitive discussions. The presence of this behavior may indicate an intent to capture information that is not otherwise accessible in written or exportable form.

The subject intentionally weakens or bypasses physical security controls for a third party, such as allowing them to piggyback into a secure area, leaving a door unlocked for them, or providing them with a security pass.

A subject tansports physical documents outside of the control of the organization.

Physical security credentials, such as an ID card or physical keys, that were available to the subject during employment are not revoked and can still be used.

A subject steals non-digital assets, such as physical documents, belonging to an organization.

A subject steals other digital assets, such as monitors, hard drives, or peripherals, belonging to an organization.

A subject steals a corporate mobile phone belonging to an organization.

A subject steals a corporate laptop belonging to an organization.

The subject uses a USB cable, and any relevant software if required, to transfer files or data from one system to a mobile device. This device is then taken outside of the organization's control, where the subject can later access the contents.

A subject exfiltrates data using writeable disk media.

Subjects with physical access to critical hardware—such as data center infrastructure, on-premises servers, network appliances, storage arrays, or specialized equipment like CCTV and alarm systems—represent a significant insider threat due to their ability to bypass logical controls and interact directly with systems. This level of access can facilitate a wide range of security compromises, many of which are difficult to detect through conventional digital monitoring.

Physical access may also include proximity to sensitive areas such as network closets, on-premises server racks, backup repositories, or control systems in operational technology (OT) environments. In high-security settings, even brief unsupervised access can be exploited to compromise system integrity or enable ongoing unauthorized access.

With this type of access, a subject can:

• Extract or clone drives and media for offline analysis or exfiltration of sensitive data, including proprietary documents, logs, authentication secrets, and configuration files.
• Introduce malicious hardware or firmware, such as USB-based keyloggers, hardware implants, or modified components that persist beyond reboots and may evade traditional endpoint protections.
• Bypass access controls by booting from external media, altering BIOS or UEFI settings, or resetting system passwords using direct hardware manipulation.
• Install or modify software directly on the system, enabling surveillance tools, remote access backdoors, or malicious code that blends in with legitimate system processes.
• Capture network traffic by tapping physical interfaces or inserting intermediary devices such as portable switches, protocol analyzers, or rogue wireless access points.
• Disable security mechanisms, such as disconnecting monitoring systems, tampering with surveillance equipment, or disabling redundant power and failover systems to induce outages.

In operational environments, subjects with access to physical control systems (e.g., ICS/SCADA components, industrial HMIs, or IoT gateways) may alter processes, cause service disruptions, or create safety hazards. Similarly, access to CCTV or badge systems may allow them to erase footage, monitor employee movements, or manipulate access control logs.

Subjects with this form of access represent an elevated risk, especially when combined with technical knowledge or administrative privileges. The risk is compounded in environments with limited physical security controls, inadequate logging of physical entry, or weak segmentation between physical and digital assets.

Subjects with authorized access to sensitive physical spaces—such as secure offices, executive areas, data centers, SCIFs (Sensitive Compartmented Information Facilities), R&D labs, or restricted zones in critical infrastructure—pose an increased insider threat due to their physical proximity to sensitive assets, systems, and information.

Such spaces often contain high-value materials or information, including printed sensitive documents, whiteboard plans, authentication devices (e.g., smartcards or tokens), and unattended workstations. A subject with physical presence in these locations may observe confidential conversations, access sensitive output, or physically interact with devices outside of typical security monitoring.

This type of access can be leveraged to:

• Obtain unattended or discarded sensitive information, such as printouts, notes, or credentials left on desks.
• Observe operational activity or decision-making, gaining insight into projects, personnel, or internal dynamics.
• Access unlocked devices or improperly secured terminals, allowing direct system interaction or credential harvesting.
• Bypass digital controls via physical means, such as tailgating into secure spaces or using misappropriated access cards.
• Covertly install or remove equipment, such as data exfiltration tools, recording devices, or physical implants.
• Eavesdrop on confidential conversations, either directly or through concealed recording equipment, enabling the collection of sensitive verbal disclosures, strategic discussions, or authentication procedures.

Subjects in roles that involve frequent presence in sensitive locations—such as cleaning staff, security personnel, on-site engineers, or facility contractors—may operate outside the scope of standard digital access control and may not be fully visible to security teams focused on network activity.

Importantly, individuals with this kind of access are also potential targets for recruitment or coercion by external threat actors seeking insider assistance. The ability to physically access secure environments and passively gather high-value information makes them attractive assets in coordinated attempts to obtain or compromise protected information.

The risk is magnified in organizations lacking comprehensive physical access policies, surveillance, or cross-referencing of physical and digital access activity. When unmonitored, physical access can provide a silent pathway to support insider operations without leaving traditional digital footprints.

A subject’s placement within critical business units or specialized teams can grant them access to highly sensitive operational data, strategic initiatives, and proprietary information. Roles within departments such as executive leadership, corporate strategy, legal, finance, R&D, supply chain management, and security operations position the subject to interact with confidential communications, forward-looking business plans, and strategic decision-making processes.

Subjects in close proximity to organizational leadership—including C-suite executives, senior directors, or key decision-makers—are uniquely positioned to access sensitive insights, manipulate decision-making, or gather intelligence on high-stakes initiatives. These individuals may be exposed to:

• Privileged communications such as internal memos, executive briefings, and strategic planning documents that are typically restricted.
• Pre-decisional data, including merger and acquisition strategies, product development pipelines, and market positioning strategies.
• Strategic operational plans outlining organizational direction, key resource allocation, and long-term goals.

Having direct or indirect access to leaders facilitates eavesdropping on confidential conversations and provides early awareness of business initiatives. This proximity allows the subject to assess organizational vulnerabilities or identify high-value targets for insider exploitation. Furthermore, the subject may be positioned to:

• Influence decision-making through the selective manipulation of information presented to decision-makers. This could include distorting risk profiles or promoting particular courses of action that align with their objectives.
• Shape the outcome of high-value transactions such as mergers, acquisitions, and partnerships by influencing the information executives receive or the strategies they adopt.
• Alter project and resource prioritization by subtly steering leadership towards certain initiatives, products, or investments.
• Impact compliance and risk management practices, potentially distorting organizational responses to regulatory requirements or operational risks.

Subjects in such positions hold considerable power to shape business outcomes—both through direct influence over strategic initiatives and by gaining early insights into organizational direction, which can be exploited for personal gain, external manipulation, or other malicious intents.

Additionally, such individuals may become targets for recruitment by external entities seeking to exploit their access to confidential business data or influence over strategic decisions. Their proximity to leadership and critical business functions makes them an ideal conduit for conducting insider threats on behalf of external adversaries.

A subject with a people management role holds significant influence over their direct reports, which can be leveraged to conduct insider activities. As a leader, the subject is in a unique position to shape team dynamics, direct tasks, and control the flow of information within their team. This authority presents several risks, as the subject may:

• Influence team members to inadvertently or deliberately carry out tasks that contribute to the subject’s insider objectives. For instance, a manager might ask a subordinate to access or move sensitive data under the guise of a legitimate business need or direct them to work on projects that will inadvertently support a malicious agenda.
• Exert pressure on employees to bypass security protocols, disregard organizational policies, or perform actions that could compromise the organization’s integrity. For example, a manager might encourage their team to take shortcuts in security or compliance checks to meet deadlines or targets.
• Control access to sensitive information, either by virtue of the manager’s role or through the information shared within their team. A people manager may have direct visibility into highly sensitive internal communications, strategic plans, and confidential projects, which can be leveraged for malicious purposes.
• Isolate team members or limit their exposure to security training, potentially creating vulnerabilities within the team that could be exploited. By controlling the flow of information or limiting access to security awareness resources, a manager can enable an environment conducive to insider threats.
• Recruit or hire individuals within their team or external candidates who are susceptible to manipulation or willing to participate in insider activities. A subject in a management role could use their hiring influence to bring in new team members who align with or are manipulated into assisting in the subject's illicit plans, increasing the risk of coordinated insider actions.

In addition to these immediate risks, subjects in people management roles may also have the ability to recruit individuals from their team for insider activities, subtly influencing them to support illicit actions or help cover up their activities. By fostering a sense of loyalty or manipulating interpersonal relationships, the subject may encourage compliance with unethical actions, making it more difficult for others to detect or challenge the behavior.

Given the central role that managers play in shaping team culture and operational practices, the risks posed by a subject in a management position are compounded by their ability to both directly influence the behavior of others and manipulate processes for personal or malicious gain.

The subject leverages synthetic identity elements, AI-generated visuals, deepfake video, or falsified credentials to obtain employment or contractor status under a false identity. This tactic is commonly used to gain insider access to an organization while avoiding standard background checks, attribution mechanisms, or compliance controls.

Common methods include:

• Using AI-generated (GAN-based) profile photos that cannot be reverse-image searched.
• Employing real-time deepfake tools during video interviews to alter facial appearance or impersonate another individual.
• Substituting a more technically skilled individual to complete a remote hiring assessment or interview under a fabricated identity.
• Presenting credentials or documentation (e.g., CVs, diplomas, certifications) created using forgery tools or generative AI.

This tactic is particularly dangerous when used to embed individuals in sensitive roles such as DevOps, system administration, SOC analyst, or software engineering, where access to production systems and intellectual property is granted shortly after onboarding.

Example Scenarios:

• A subject uses a synthetic LinkedIn profile with AI-generated imagery and falsified work history to apply for a remote DevOps role. During the live video interview, they use a deepfake overlay to match their fabricated profile photo.
• A technically skilled individual conducts a coding interview using a deepfake of another person, allowing a less qualified "puppet" to be hired under false credentials. The qualified subject later assists or directs actions remotely.
• A malicious actor obtains employment under an assumed identity to infiltrate a target organization on behalf of a third party, using synthetic documents and deepfake liveness checks to pass onboarding.

The subject deliberately alters their physical appearance to resemble an authorized individual or category of personnel—such as employees, contractors, vendors, maintenance staff, or delivery personnel—in order to bypass physical security measures and gain access to restricted areas. This tactic relies on exploiting visual trust cues (e.g., uniforms, badges, company branding) and is often used during reconnaissance or access staging phases prior to an insider event.

Common methods include:

• Wearing uniforms or branded clothing associated with the target organization or a trusted third party.
• Mimicking attire patterns of specific departments (e.g., IT, facilities, catering).
• Carrying props such as tools, ID lanyards, or delivery equipment to reinforce the impersonated role.

Example Scenarios:

• A subject dresses in a facilities maintenance uniform to gain access to server rooms under the pretense of conducting HVAC repairs, with no scheduled work order.
• An insider recruits an accomplice who dresses as a delivery driver to stage equipment drops and tailgate into a secure loading dock.
• During an internal staff shift, the subject wears a borrowed lanyard and IT polo shirt to move through restricted floors without being challenged.
• A former contractor retains high-visibility branded clothing and uses it months later to re-enter a secure building undetected.

The subject obtains, clones, fabricates, or otherwise manipulates physical access credentials—such as RFID cards, NFC badges, magnetic stripes, or printed ID cards—to gain unauthorized access to secure areas. This behavior typically occurs during early-stage preparation for insider activity and enables covert physical entry without triggering standard identity-based access controls.

Badge cloning can be performed using low-cost, widely available tools that can read and emulate access credentials. Forged ID cards are often visually convincing and used to bypass casual visual verification by staff or security personnel.

Example Scenarios:

• A subject uses a Flipper Zero device to clone the 125kHz RFID signal of a coworker's legacy access badge and uses it after hours to enter the data center undetected.
• A forged ID badge created with a common card printer and online templates is worn by a co-conspirator to impersonate an IT contractor and access a locked communications room.
• The subject photographs a single-use QR visitor code from a printed pass and shares it with an external party, who uses it to enter the premises before expiration.
• A magnetic stripe card is skimmed using a USB swipe reader and rewritten onto a blank hotel-style access card.

The subject deliberately interferes with operational systems in ways that degrade, interrupt, or misroute services relied upon by customers, without relying on file deletion or malware. This includes misconfigurations, service disabling, authentication interference, or intentional introduction of latency, instability, or incorrect outputs. The result is operational degradation that directly or indirectly affects service delivery, availability, or trust.

Unlike File or Data Deletion, this infringement does not depend on erasing data, and unlike Destructive Malware Deployment, it does not rely on malicious payloads or automated damage. The disruption instead stems from direct manipulation of infrastructure, configurations, service states, or user access.

Examples include:

• Intentionally disabling authentication or API endpoints
• Modifying DNS, firewall, or routing rules to block legitimate traffic
• Tampering with load balancers or HA/failover logic
• Altering service configurations to break dependency chains (e.g. pointing production systems to empty dev databases)
• Injecting false flags into monitoring or orchestration tools to trigger auto-scaling failures or mis-alerts
• Enabling excessive logging or computation to induce service latency or memory exhaustion
• Locking critical service accounts, API keys, or secrets in vault systems

These actions may be motivated by retaliation, concealment, sabotage, or insider coercion, and often occur in environments where the subject has legitimate system access but uses it to destabilize service delivery covertly.

A subject physically disconnects, removes, loosens, or tampers with data or communications infrastructure to degrade, interrupt, or prevent organizational operations. This may include network cabling, fiber links, patch panel connections, transceivers, telecommunications cabling, console cables, storage interconnects, or monitoring and telemetry data feeds.

A subject physically interrupts, disables, damages, manipulates, or interferes with electrical power systems that support organizational equipment, facilities, or operations. This may include pulling power leads, powering off equipment, switching off rack power distribution units, tripping breakers or isolators, damaging power supply units, tampering with UPS systems, interfering with generators, or damaging electrical distribution equipment.

A subject physically damages, destroys, contaminates, obstructs, or degrades organizational equipment to impair availability, integrity, monitoring, safety, or operational capability. This may include damage to switches, routers, servers, firewalls, storage devices, endpoints, mobile devices, telecommunications equipment, racks, ports, connectors, screens, removable media, sensors, or monitoring devices.

A subject physically interferes with non-power facility systems that support organizational operations, safety, security, continuity, or environmental stability. This may include HVAC systems, cooling systems, fire suppression systems, water systems, environmental controls, communications risers, cable ducts, plant-room systems, or facility infrastructure supporting production, warehousing, laboratory, or operational spaces.