> airmon-ng start wlan0 && airodump-ng wlan0mon --band abg_
Your buildings talk. Wi-Fi, Bluetooth, Zigbee, Z-Wave, LoRa, DECT, BACnet/IP, proprietary RF — every wireless signal is an attack surface. We listen to all of them, test all of them, and tell you exactly what an attacker could do from your car park.
Modern buildings are saturated with radio frequency emissions. Corporate Wi-Fi carries business traffic. IoT sensors monitor environmental conditions. Building management systems control HVAC, lighting, and access control. Lifts communicate with dispatch controllers. Smart meters report energy consumption. Security cameras stream over wireless links. DECT handsets carry voice calls. Every one of these signals extends beyond the physical walls of your building — and every one of them is potentially visible, interceptable, and exploitable by an attacker positioned within range.
Traditional wireless security assessments focus exclusively on corporate Wi-Fi. That is necessary — but it is not sufficient. A modern building's radio frequency environment encompasses dozens of protocols across multiple frequency bands, spanning both Information Technology (IT) and Operational Technology (OT) systems. An attacker who can intercept or manipulate the BMS controlling your HVAC does not need to touch your Wi-Fi. An attacker who can spoof commands to a lift controller does not need your domain credentials. The convergence of IT and OT in smart buildings has created an attack surface that most organisations have never mapped, let alone tested.
Our Wireless & Spectrum Security service covers the full radio frequency environment — not just Wi-Fi, but every protocol, every device, and every signal that your building emits. We assess corporate wireless networks using the same techniques as real threat actors, analyse the RF spectrum for every emission your facility produces, test the security of IoT and OT devices that communicate wirelessly, and deliver a complete picture of your organisation's exposure to wireless and radio frequency attack.
Most security firms test your Wi-Fi and stop. We bring software-defined radios, spectrum analysers, and protocol-specific tooling to assess every wireless system in your environment — from the 2.4 GHz corporate SSID to the 868 MHz building management sensors to the 1.9 GHz DECT handsets on the finance director's desk.
Our assessment covers every category of wireless system deployed in your environment — across IT and OT, across all frequency bands, and across every protocol that touches the airwaves.
The historic separation between Information Technology and Operational Technology is dissolving. BMS controllers now sit on the IP network. Lift systems report status via API. HVAC sensors feed data to cloud dashboards. This convergence creates efficiency — but it also creates attack paths that cross the IT/OT boundary in both directions.
| Dimension | Traditional IT | Operational Technology |
|---|---|---|
| Primary concern | Confidentiality and integrity of data | Availability and safety of physical processes |
| Typical protocols | TCP/IP, HTTP/S, 802.11 (Wi-Fi), Bluetooth, DNS, LDAP | BACnet, Modbus, LonWorks, KNX, DALI, Zigbee, Z-Wave, proprietary RF |
| Patching cadence | Monthly or quarterly patch cycles are normal | Rarely patched — firmware updates may require physical access and vendor involvement, and carry risk of disrupting physical systems |
| Authentication | Active Directory, MFA, certificate-based auth | Often minimal — default credentials, no authentication, or shared passwords that have not been changed since installation |
| Encryption | TLS everywhere (or should be) | Frequently absent — many OT protocols transmit commands and data in cleartext by design |
| Impact of compromise | Data breach, financial loss, reputational damage | Physical consequences — disabled HVAC in a data centre causes thermal shutdown, manipulated access control enables physical intrusion, compromised safety systems endanger occupants |
| The convergence risk | When IT and OT share network infrastructure — even partially — a compromise of a corporate Wi-Fi credential can become a path to the BMS. A vulnerable IoT sensor on the corporate VLAN can become a pivot into the lift controller network. Our testing maps these cross-boundary attack paths that neither a pure IT assessment nor a pure OT assessment would discover. | |
Our assessment is not limited to Wi-Fi. We carry equipment and expertise to analyse wireless communications across the frequency spectrum relevant to corporate and building environments.
Our wireless and spectrum assessment follows a structured five-phase methodology that progresses from passive listening through active exploitation to post-association testing and reporting. The approach is adapted to your environment — the protocols present, the systems deployed, and the risk profile of your organisation.
We deploy spectrum analysers and software-defined radios across the relevant frequency bands — monitoring passively from outside your premises. We capture every wireless emission: Wi-Fi beacons, Bluetooth advertisements, Zigbee traffic, DECT registrations, BMS telemetry, RF alarm signals, two-way radio transmissions, and any other signal your facility produces. This passive reconnaissance reveals the complete wireless footprint of your building before we transmit a single packet — and it tells us exactly what an attacker would discover by sitting in the car park and listening.
Using passive intelligence, we build a comprehensive map of every wireless system — SSIDs, access point locations, client devices, IoT endpoints, BMS controllers, DECT base stations, and unknown transmissions. We classify each by protocol, frequency, security configuration, and signal coverage beyond the premises. This map becomes the basis for the active testing plan — every system identified is assessed for security weaknesses according to its protocol and role.
Targeted testing against every identified system: WPA2/WPA3 handshake capture and cracking, evil twin attacks against 802.1X Enterprise, PMKID harvesting, rogue access point deployment, Bluetooth device enumeration and pairing exploitation, Zigbee/Z-Wave sniffing and replay attacks, BACnet service discovery and command testing, DECT eavesdropping assessment, and RFID/NFC credential cloning where access control systems are in scope. Each test uses protocol-specific tools and techniques — there is no single scanner that covers this breadth.
Once we have access to a wireless network — whether corporate Wi-Fi, IoT VLAN, guest network, or BMS segment — we test what can be reached from that position. This is where the IT/OT convergence risk becomes tangible: can a compromised Wi-Fi credential reach the BMS network? Can an IoT sensor VLAN route to the corporate LAN? Can BACnet controllers be reached from the guest Wi-Fi? We map every cross-boundary path and test every segmentation control, documenting the complete attack chain from initial wireless access to the most sensitive system reachable.
You receive a full RF environment map, a complete catalogue of every wireless system identified (including any rogue or unknown transmissions), detailed findings for every vulnerability discovered across every protocol tested, evidence of exploitation (captured credentials, intercepted communications, accessed systems), cross-boundary attack path documentation, a signal leakage assessment showing where your wireless emissions are detectable beyond your premises, and a prioritised remediation roadmap covering both IT and OT recommendations. We debrief in person — walking through findings with both your IT security team and your facilities/building management team, because the remediation crosses both domains.
The following represents the categories of findings we routinely discover during wireless and spectrum assessments. These are not theoretical — they are issues we encounter regularly across sectors and building types.
Wireless and spectrum testing requires specialist hardware that goes far beyond a laptop with a Wi-Fi adapter. Our assessors deploy with protocol-specific equipment covering every system in your environment.
| Equipment Category | What It Does |
|---|---|
| Wi-Fi Assessment Adapters | Monitor mode and packet injection capable adapters (Alfa AWUS036ACH, AWUS036ACSM) for passive capture, handshake interception, evil twin deployment, and client-side attacks across 2.4 GHz and 5 GHz bands. |
| Software-Defined Radios | HackRF One, RTL-SDR, USRP — wideband receivers covering 1 MHz to 6 GHz for spectrum analysis, DECT interception, Zigbee/Z-Wave capture, PMR monitoring, pager decoding, and identification of unknown RF emissions. |
| Spectrum Analysers | Dedicated RF spectrum analysis for visualising the complete electromagnetic environment, identifying interference, locating rogue transmitters, and measuring signal leakage beyond the premises. |
| Bluetooth & BLE Tooling | Ubertooth One for Bluetooth Classic sniffing, BLE dongles for advertisement scanning, GATT enumeration, and characteristic manipulation of smart building devices, locks, and beacons. |
| Zigbee & Z-Wave Sniffers | ApiMote, RZUSBstick, and Z-Wave dongles for packet capture, network key extraction, replay attacks, and security analysis of building automation sensors and actuators. |
| RFID & NFC Equipment | Proxmark3 for low-frequency and high-frequency access card analysis — reading, cloning, and emulating credentials for HID Prox, iCLASS, MIFARE, DESFire, and other access control technologies. |
| Directional Antennas | Yagi and parabolic directional antennas for extended-range Wi-Fi assessment, signal strength mapping, and determining the effective attack range of your wireless infrastructure from external positions. |
Every engagement produces a comprehensive output covering both the IT and OT wireless environment.
| Deliverable | Detail |
|---|---|
| RF environment map | A complete catalogue of every wireless system detected — SSIDs, BLE devices, Zigbee networks, DECT base stations, BMS controllers, and all other RF emissions. Includes signal coverage mapping showing where each system is detectable beyond your premises. |
| Executive summary | A board-ready overview of your wireless and spectrum security posture, key risks, and strategic recommendations — written for leadership, not engineers. |
| Technical report | Every finding documented with severity rating, attack narrative, evidence, affected systems, and protocol-specific remediation guidance covering both IT and OT recommendations. |
| Cross-boundary attack paths | Documentation of every attack chain that crosses IT/OT boundaries — showing how a Wi-Fi compromise reaches BMS, how an IoT VLAN routes to the corporate LAN, or how a guest network connects to the lift controller. |
| Signal leakage assessment | A report detailing which wireless signals are detectable from outside your premises, at what range, and what intelligence an attacker could gather from each — informing decisions about signal management and physical positioning of wireless infrastructure. |
| Remediation tracker | A structured spreadsheet of all findings with severity, status, owner (IT or facilities/OT), and deadline columns — ready for your project management workflow. |
| Joint IT/OT debrief | A walkthrough session with both your IT security team and your facilities/building management team. Wireless and OT findings require collaboration across these teams for effective remediation — we facilitate that conversation. |
| Free retest | Once remediation is complete, we return to retest every finding — included in the engagement price — and issue an updated report confirming closure. |
A standard Wi-Fi penetration test assesses your corporate wireless networks — SSIDs, authentication, segmentation. Our Wireless & Spectrum Security service includes all of that, plus full radio frequency spectrum analysis covering every wireless protocol and device in your environment: IoT sensors, building management systems, HVAC controllers, lift systems, DECT phones, access control, two-way radios, and any other system communicating over the airwaves. It is the difference between testing one protocol and testing every protocol.
We take extreme care with operational technology. OT testing is conducted under strict rules of engagement agreed with both your IT and facilities teams. For safety-critical systems like lifts and HVAC, we focus on passive analysis and non-destructive testing — identifying vulnerabilities without triggering state changes. Where active testing of BMS or control systems is authorised, it is conducted during agreed maintenance windows with building management personnel present. We never compromise system availability without explicit written consent.
The external phase of the assessment is conducted from outside your premises — from the car park, the pavement, neighbouring areas within radio range. This demonstrates what an attacker could achieve without ever entering the building. We then conduct an internal phase from within the premises to test segmentation, post-association access, and systems that are not detectable from outside. Both phases are essential for a complete assessment.
It depends on the scope. A single-building assessment covering Wi-Fi, IoT, and BMS typically takes 5–10 days. A multi-site campus or a complex environment with extensive OT infrastructure may take longer. The passive RF reconnaissance phase runs for at least 24–48 hours to capture the full operational cycle of the building — systems that are active during business hours, overnight, and at weekends. We provide a clear timeline during scoping.
This is one of the few assessments that genuinely requires collaboration between IT and facilities/building management. Your IT security team understands the corporate wireless and network infrastructure. Your facilities team understands the BMS, HVAC, lifts, and building control systems. Both need to be involved in scoping, available during testing for escalation, and present at the debrief — because the findings and remediation will span both domains.
Absolutely — and it is often most effective when combined. A wireless and spectrum assessment paired with an internal network penetration test demonstrates the complete attack chain from wireless access to domain compromise. Combined with an airspace security assessment, it covers the full three-dimensional attack surface — ground and aerial. We scope combined engagements to maximise coverage and minimise duplication.
Every wireless signal is a potential attack path. Every protocol is a potential weakness. We test all of them — from the corporate Wi-Fi to the BMS to the frequency bands you didn't know your building was using.