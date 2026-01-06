Katie Barnett, Director of Cyber Security, and Gavin Wilson, Director of Physical Security and Risk, at the London-based consultancy Toro Solutions, discuss how modern threat actors really operate. Long before anything is breached, triggered or compromised, a different kind of moment takes place. One that most people never see and rarely think about.

Converged attack pathway

A decision is made. An attacker, whether financially motivated, politically driven, ideologically aligned, or simply opportunistic, will first weigh the potential reward against the risk to themselves. They consider what might be gained, how difficult success could be, and how likely it is that they will be identified, detected, recorded, or caught. This assessment might take minutes, or it could take months and if, at that point, the risk feels too high, the target is quietly crossed off the list.

Worth pursuing

That reality is often overlooked. Many attacks never happen, not because an organisation is unhackable, but because that organisation appears too well prepared, too alert, or simply too difficult to be worth the effort. After deciding a target is worth pursuing, the attacker does not rush in. Instead, the attacker starts to build a picture of the organisation. In their head, they start forming a picture of who might be easiest to exploit, identifying individuals who appear most vulnerable, most exposed, or most likely to open a door, share information, or unknowingly provide access. This is where the concept of converged security truly matters. Modern attackers don’t see ‘cyber’ and ‘physical’ as separate problems. They see one connected environment made up of people, systems, buildings, processes, supply chains, routines and behaviours. To them, every part of that environment is a potential entry point and almost without exception, they will follow the path of least resistance.

Hostile reconnaissance

If network controls present an obstacle, the focus may shift to people. If staff awareness is strong, weaknesses in physical access become more attractive. When buildings are secure, attention often turns to a contractor, a third-party supplier, or a remote worker operating outside the usual safeguards. The approach is fluid, constantly changing in response to what is encountered. Once potential targets have been identified, the attacker moves into hostile reconnaissance. This is the phase of quiet observation, gathering as much information as possible without being seen. Digitally, they study websites, job advertisements, social media, and publicly available documents to understand structure, technology, culture, and routines. Email formats may be analysed, systems mapped, and online interactions observed. At the same time, physical reconnaissance may already be underway. Sites are visited. Entry points, patrol patterns, badge usage, deliveries, smoking areas, and everyday staff habits are watched and recorded. Doors are tested and visitor responses are measured.

Confident to proceed

The goal is simple, to remove uncertainty and increase the likelihood of success. This continues until the attacker is confident enough to proceed, or until they decide the risk still isn’t worth it. Ironically, this is also the stage where they can become more visible. Poor surveillance, repeated probing or behaviour that feels slightly ‘off’ can be noticed by an alert individual or an effective monitoring process and the longer an attacker spends trying to reduce their own risk, the more opportunity there is to expose them. When reconnaissance is successful, subtle probing begins.

These interactions are meant to look normal. Forgettable, even. A believable email, a phone call posing as IT, a casual tailgate through a secure door, an unchallenged walk through an office. None of it is random, each action is a test, intended to answer a few key questions.

Will anyone notice? Will anyone challenge me? Do the controls actually work in practice, or only on paper? If those tests are met with silence, confusion, or compliance, the gap has been found. From that point on, the actual breach can feel alarming in how uneventful it is.

And now stay in

In a converged security environment, access rarely comes from one dramatic moment. A physical intrusion might lead to a device being connected to the network. A misplaced or stolen access card might allow repeated entry. A single compromised password may open far more than it should. Very often, there is no obvious “break-in” at all. The attacker simply walks through a door that should never have been open to them. With access gained, the focus shifts to persistence. The aim is no longer just to get in, but to stay in, quietly and undetected, for as long as possible. New accounts may be created, privileges escalated, credentials copied, internal systems and behaviours mapped in detail. A small weakness is slowly transformed into a position of real control.

What’s overlooked

By the time the organisation realises something is wrong, much of the damage has usually already been done. Data may have been extracted, systems compromised or intellectual property stolen and sold. Customers, partners, and regulators may already be involved. The discovery feels sudden, but in truth the attack has been developing carefully over time. This is what tends to get overlooked, an attack does not begin with a breach. It begins with quiet observation, with decisions made in the background, with gradual research, small tests and minor failures that are often dismissed, normalised or never connected at all.

More connected

Traditional security models are fragmented by design. Cyber sits with one team, physical security with another, and responsibility for people, suppliers and behaviour is spread across several more. Those divisions make operational sense, but they also create the gaps that adversaries learn to move through. The attacker does not see departments or reporting lines. They only see opportunity. A more connected approach to security does not require eliminating specialist roles or merging functions into one. It requires visibility across domains, communication between teams and an understanding that risk rarely sits neatly in a single category. What looks insignificant in isolation can take on a different meaning when viewed in context. In practice, the goal is not perfect protection. That does not exist. The goal is to reduce exposure, limit opportunity and improve the chances of early detection. Many attacks cannot be prevented entirely, but they can be made harder to execute, more likely to be noticed, and less likely to succeed. And in most cases, that is what determines the outcome.

Photo by Mark Rowe.