After Physical Access Tests

The test is not over when access ends

Physical access testing can create temporary changes: opened rooms, moved equipment, test accounts, evidence files, device approvals, and security alerts. The work is not complete until those changes are reviewed and cleaned up.

A clean after-action process protects the client and keeps the assessment trustworthy. It also helps defenders understand what happened without guessing.

Start with a timeline

Build a short timeline while the details are fresh. Record arrival, test start, key actions, alerts observed, escalations, and closeout. The timeline does not need every minute. It needs the moments that explain the outcome.

This timeline helps reconcile badge logs, camera events, endpoint alerts, and operator notes.

Confirm what changed

List anything that changed during testing. This can include temporary accounts, device policy exceptions, moved cables, opened panels, lab machines, or dashboard profiles. If nothing changed, say that explicitly.

The confirmation matters because it gives the client confidence that the environment was restored or that remaining changes are known.

Review alerts with defenders

If the engagement included alert validation, review what defenders saw. Did the alert arrive? Was it clear? Was it routed correctly? Did the team understand that it was related to the test window? Did escalation follow the expected path?

This review is often more valuable than the access itself. It shows how the organization responds under real conditions.

Remove temporary material

Clean up temporary notes, scripts, screenshots, credentials, and device profiles according to the engagement rules. Archive only approved evidence. Remove client-specific data from reusable templates and shared devices.

Cleanup should be verifiable. A short closeout note saying what was removed and where evidence was stored is enough for many engagements.

Write recommendations by control layer

Physical access findings often span layers. Organize recommendations by control type: facility, endpoint, identity, monitoring, user process, and incident response. That makes ownership clearer and keeps the report from becoming a single long paragraph.

Each recommendation should be specific enough to assign.

Send a concise closeout

The closeout should summarize what was tested, what was observed, what remains open, and where evidence lives. Keep it concise. The full report can come later, but the client should not wait days to know whether anything needs immediate attention.