Banner background texture

Case Study - Legally penetrating a bank

White curve graphic
Wednesday 29th January, 2020 | Author: Simon Henson [Member (F1809)] | Filed under: Case studies


In a week towards the end of 2019 my company’s Corporate Investigation Team were run off their feet! The start of the week saw one of our long-standing clients instruct our London Penetration Testers to attempt to physically penetrate a bank, yes you read that right, a bank!

Near the end of the week we were requested to provide a 20 strong surveillance team in London to monitor and record the movement of multiple subjects, yes you read that right too, a 20 strong surveillance team! This was on top of the day to day operational surveillance and process serving demands.

Our London based penetration testing teams are regularly tasked with planning and physically penetrating sensitive corporate buildings in the city; however, this is the first time we’ve been requested to orchestrate an attack on a financial institution. It almost felt wrong, as if we were planning a bank robbery or the Hatton Garden safe deposit burglary. We had to keep reminding ourselves that the bank had requested this and that we had lawful authority.

Information Gathering

The first phase was the information gathering. This was mainly executed by conducting open source research into the bank’s location, obtaining building interior layouts, clients, staff and any information that could be graded as potentially useful to the penetration.

Vulnerability Analysis

The second phase was the vulnerability analysis stage. This consisted of many hours of static observations monitoring multiple exits, paying attention to the routine comings and goings, deliveries, periods of increased foot fall, methods of entry, identification passes and noting the current security protocols in place. This was a difficult stage, not attracting third party attention, sparking a security alert at the bank or worse still attracting Police attention. Due to the excellent fieldcraft of our expert penetration testers none of the above was experienced.


This is the planning phase which utilised the information gathered in phases 1 and 2. We settled on 2 methods of penetration. 1 was an overt method and the 2nd was covert.

Overt Penetration Method

We decided on a courier delivery. Various names of current employees were identified in phase 1 and we had confirmed that 1 was still working at the bank. We entered the bank via a trade entrance and began to relay our cover story to security personnel. Worryingly, our operative was not asked to provide any identification to support that they were a genuine courier or their name. The operative was signed in, in a false name and given a security fob to access the building unaccompanied. Our “courier” was able to access the desired floor of the bank where there was a reception with a member of staff there. It was not possible to gain any further access without being observed so our operative withdrew after delivering the parcel.

Covert Penetration Method

The covert method was for the penetration tester to get comfortable in the lobby of the bank close to the security barriers during the busy morning rush of staff entering the building. The penetration tester then selected a victim and brazenly timed his run, following an employee through the security barriers, into the lift and through the security-controlled doors to the office. It was a success and we were in! The penetration tester walked around the entire open plan office with purpose completely unchallenged. Some employees even acknowledged him with a “morning”. He then continued to view unattended open computer monitors, whiteboards with sensitive information displayed and other areas of sensitivity before exiting as he entered.

A complete success!!

We provided a full written report outlining our findings and suggested methods to prevent any future unauthorised penetration.

20 Strong London Surveillance Operation

Teams of 4-5 operatives are common in London, but a team of 20 is unheard of in the commercial sector. 20 or more operatives is not unusual for government surveillance teams who have the potential budget for a 5 strong operations room disseminating intelligence, 2 motorcycles, 10 vehicles and someone maintaining the surveillance log. In the commercial market the purse strings are shorter, so every operative must work much harder as there is no capacity for “passengers”.

The main concerns that we had to address during the planning phase of this operation were;

The footprint of the team

20 operatives all in the same place with multiple subjects exiting the same building


Due to my company delivering training courses we have in excess of 20 radio terminals. The issue was multiple subjects and only having 4 operational channels.

The trigger

We needed to separate into 8 individual teams with each team being allocated a different subject. The issue here was that there would be 8 operatives individually identifying their subject and triggering them away to their respective team. That’s 8 operatives who would most likely all choose the same covert trigger position. This would make it not so covert!

Not knowing modes of transport

Each subject would leave by an unknown means. This could be by chauffeur, taxi, underground, bus, personal vehicle parked elsewhere or on foot.


With so many operatives on the ground it could be easy for operatives to resort to thinking “someone else will do that” leading to basic and essential elements of control being lost.

Mobile follow

In London surveillance motorcyclists and cabbies are essential to maintain control. Trying to facilitate the required number on the same days in the same place would be challenging.

Due to the sensitivity of the task I can’t reveal any more details, other than that the planning phase ironed out all potential areas of difficulty and the 3-day deployment was a complete success.

Article submitted by Simon Henson – Full Member F1809 of Titan Private Investigation
See here for further info: or contact on