SAPP Security logoSAPP Security

Proximity Threat Management: A Complete Framework for Physical Attack Surface Security

Every enterprise invests heavily in digital perimeter defence: firewalls, endpoint detection, zero-trust network architectures. Yet the most consequential security breaches often begin not with a packet traversing a wire, but with a human being standing in the wrong place at the wrong time. A contractor photographs a whiteboard in an unlocked meeting room. A cleaning operative discovers a master keycard in a desk drawer. A state-sponsored operative aims a laser interferometer at a boardroom window during a merger discussion. These are proximity threats, and no firewall in existence can stop them.

Proximity Threat Management (PASM) is the discipline SAPP Security co-founder Marko Tuisk developed to close this critical gap. PASM is the practice of identifying, classifying, and neutralising threats that exploit physical closeness to an organisation's people, assets, and technical infrastructure. It sits at the intersection of physical security, counterintelligence, insider threat management, and technical surveillance countermeasures (TSCM), bringing together disciplines that have historically operated in disconnected silos.

Where PASM Operates

Traditional security faces outward. PASM faces inward. Once someone is inside your perimeter, these are the attack surfaces exposed.

Faces Outward

Traditional Security

Firewalls and network perimeters
Guards, gates, and fences
Endpoint detection (EDR)
CCTV and access control

Keeps outsiders out. Does not address what happens once they are inside.

PASM Faces Inward

Three Internal Attack Surfaces

Real-world examples

Documents and printouts left on desks
Master keycards and credentials in unlocked drawers
USB ports and exposed network jacks
Printers and scanners without authentication
Removable media carried through exits

Who exploits these surfaces

EmployeesContractorsVisitorsCleaning staffSocial engineersPlanted devices

Exploitation timeline

ImmediateSeconds to minutes
PersistentDays to years

SAPP Security  |  Marko Tuisk  |  Product & Technical Lead

Where cybersecurity protects the digital attack surface, PASM protects the physical attack surface: the buildings, rooms, devices, documents, and human behaviours that surround sensitive information before it ever reaches a network. This page is a complete guide to the proximity threat landscape, the three-tier attack taxonomy, and the operational framework for implementing PASM across your organisation.

Understanding the Proximity Attack Surface

Traditional enterprise security architecture treats organisations like medieval castles: high digital walls (firewalls, VPNs, encryption) combined with physical gates (badges, turnstiles, CCTV (video surveillance)). This model worked tolerably when sensitive information lived on mainframes behind locked doors. In the modern enterprise, where information flows through open-plan offices, hot-desking environments, co-working spaces, and mobile devices, the castle metaphor has collapsed.

The fundamental problem is directional asymmetry. Perimeter defences face outward. They are engineered to repel external attackers. But once an individual passes through the perimeter, whether as an employee, contractor, visitor, or social engineer, they enter what security professionals call the “soft inside.” Inside this zone, physical proximity to assets confers access that no digital control can revoke. A person standing beside an unattended laptop can read the screen. A person in an open-plan office can overhear a confidential phone call. A person with unsupervised access to a server closet can install a hardware keylogger in under ten seconds.

The proximity attack surface spans three distinct vector categories, each requiring different detection methodologies, risk classifications, and remediation strategies:

  • Behavioural vectors: human actions and omissions that expose sensitive information through proximity, including credential mismanagement, document exposure, and transit media vulnerabilities.
  • Technical infrastructure vectors: exploitation of physical hardware, edge devices, and environmental conditions, including unhardened endpoints, hardware taps, exposed network ports, and line-of-sight information spillage.
  • Advanced espionage vectors: sophisticated intelligence-grade attacks using physics-based side-channels, covert electronic implants, and state-actor tradecraft.

SAPP Security organises these into a three-tier taxonomy that maps directly to risk severity, detection complexity, and remediation cost. Understanding this taxonomy is the foundation of any effective proximity threat management programme.

Three-Tier Attack Taxonomy

Start from the bottom. Most organisations have Tier 1 gaps across every floor.

Tier 3Critical

Advanced Espionage Vectors

Laser interferometry, electronic implants, TEMPEST, state-actor tradecraft

Detection: SpecialistCost: High
Tier 2High

Technical Edge-Device Vectors

Unhardened printers, USB keyloggers, exposed network ports, screen visibility

Detection: TechnicalCost: Medium
Tier 1Common

Behavioural and Asset Oversight

Credential dispersal, hard-copy exposure, orphaned transit media, clean-desk failures

Detection: ObservationalCost: Low

Where to start: Tier 1 covers the most common gaps and delivers the highest return on investment with the lowest cost. Most organisations begin here.

SAPP Security  |  Marko Tuisk  |  Product & Technical Lead

The Three-Tier Threat Model

PASM organises threats into three tiers by sophistication and frequency. Most damage comes from the bottom.

Tier 1

Behavioural & Asset Oversight

What people do wrong

Low cost to fix
Credential dispersalHard-copy exposureClean-desk failures
Found in 90% of initial assessments
Tier 2

Technical Edge-Device Vectors

What hardware exposes

Medium cost to fix
Unhardened printersUSB keyloggersScreen visibility
Found in 70% of assessments
Tier 3

Advanced Espionage Vectors

What specialists deploy

Specialist countermeasures
Laser interferometryElectronic implantsTEMPEST side-channels
State-actor and competitor threat

Start from Tier 1. The most common gaps deliver the highest return with the lowest investment. Most organisations begin here and work upward.

Tier 1

Tier 1: Behavioural and Asset Oversight, The Critical First Line

Tier 1 threats are the most common and the most frequently underestimated. They require no technical sophistication from the attacker, only physical presence and opportunity. These are threats born from human behaviour: lapses in protocol, failures of habit, and the casual assumption that “nobody would do that here.” In our experience conducting proximity audits across financial services, legal, and technology organisations, Tier 1 vulnerabilities are present in over 90% of sites assessed on the initial visit.

Physical Credential Dispersal

The Observation: Master keycards, building access fobs, server room keys, and safe combinations stored insecurely. Left in unlocked desk drawers, pinned to noticeboards, or shared informally between team members. During one assessment of a Tier 1 financial institution, our team identified a master building access card stored in an unlocked kitchen drawer, accessible to every employee, contractor, and visitor on the floor.

Risk Classification: Critical. Physical credential dispersal creates cascading access failures. A single compromised master credential can grant unrestricted access to server rooms, executive offices, and secure document storage, bypassing every digital access control in the building.

Remediation Approach: Implement tiered credential hierarchies with individual accountability. Replace shared physical credentials with individually assigned access tokens tied to identity management systems. Deploy tamper-evident storage for emergency-access credentials with dual-person integrity controls. Integrate physical credential auditing into the continuous PASM monitoring cycle.

Hard-Copy Ledger Exposure

The Observation: Confidential documents, printed reports, strategy presentations, and financial models left on desks overnight, stacked in open printer trays, or displayed on whiteboards after meetings. Despite the digital transformation narrative, hard-copy documents remain a primary exfiltration vector in proximity attacks. An attacker needs nothing more than a smartphone camera and thirty seconds of unsupervised access to capture pages of sensitive material.

Risk Classification: High. Hard-copy exposure bypasses every form of digital data loss prevention (DLP). The The information never traverses a network, never triggers an alert, and never appears in an audit log. From a forensic perspective, the breach is invisible.

Remediation Approach: Enforce clean-desk (clear desk) policies with automated compliance verification. Not annual reminders, but weekly or daily spot-checks scored through the SAPP platform. Deploy secure print-release systems requiring badge authentication at the device. Implement document classification marking and destruction schedules. Whiteboards in sensitive areas should be equipped with privacy screens or housed in rooms with automatic locking.

Orphaned Transit Media Vulnerability

The Observation: Printed documents, USB drives, and portable storage devices carried between locations in unsecured briefcases, backpacks, or vehicle boots. Transit media represents the period when sensitive material is most vulnerable. It has left the controlled environment but has not yet reached its destination. Laptops left in hotel rooms, document bundles carried through public spaces, and USB drives in jacket pockets all constitute orphaned transit media.

Risk Classification:High. Transit media is inherently difficult to control because it exists outside the physical security perimeter. Loss or theft during transit may not be discovered for hours or days, extending the adversary's exploitation window.

Remediation Approach: Establish chain-of-custody protocols for all physical media leaving secure areas. Deploy tamper-evident document pouches and GPS-tracked transit containers for high-value materials. Implement mandatory hardware encryption for all removable storage devices. Train personnel in transit security awareness with specific scenario exercises: hotel room searches, public transport protocols, and vehicle security procedures.

Tier 2

Tier 2: Technical Edge-Device and Hardware Exploitation Vectors

Tier 2 threats exploit the physical hardware and technical infrastructure within an organisation's premises. These attacks require moderate technical knowledge and brief physical access, typically seconds to minutes rather than the sustained access needed for advanced espionage. Tier 2 vectors are particularly dangerous because they often persist undetected: a hardware implant installed in a network port can exfiltrate information for months before discovery.

Unhardened Endpoint Exfiltration

The Observation:Multifunction printers, scanners, and fax machines operating without print-release authentication, internal hard-drive encryption, or audit logging. These devices are full network endpoints with processors, storage, and network interfaces, yet they are routinely deployed with default configurations, factory passwords, and no integration with the organisation's identity management system. A single unhardened printer can store thousands of previously printed documents on its internal hard drive, accessible to anyone with physical access to the device.

Risk Classification: High. Unhardened print/scan devices represent an unmonitored information exfiltration channel. Documents scanned to email, printed without authentication, or stored on unencrypted device storage bypass network DLP entirely. Hard drives removed from decommissioned printers have been shown in forensic studies to contain reconstructable copies of every document ever processed.

Remediation Approach: Enforce badge-release or PIN-release printing across all network-connected output devices. Enable AES-256 encryption on internal storage with automatic overwrite cycles compliant with NIST SP 800-88 (Guidelines for Media Sanitisation). Integrate print devices into SIEM logging for anomaly detection. Include printer and scanner hardening in the quarterly PASM review cycle.

Inline Hardware Taps & Exposed Local Ports

The Observation: Accessible USB ports on workstations, unmonitored Ethernet wall jacks in meeting rooms, and network switches in unlocked comms closets. Hardware keyloggers, commercially available devices smaller than a USB thumb drive, can be installed between a keyboard and a workstation in under five seconds, capturing every keystroke including passwords, emails, and document content. Rogue network devices plugged into exposed Ethernet ports can bridge an air-gapped network to a mobile hotspot, creating an invisible exfiltration channel.

Risk Classification: Critical. Hardware implants operate below the operating system layer and are invisible to software-based security tools. They do not generate network anomalies, trigger EDR alerts, or appear in system logs. Detection requires physical inspection or specialised hardware analysis tools.

Remediation Approach: Implement IEEE 802.1X port-based network access control (NAC) on all Ethernet ports to prevent unauthorised device connections. Deploy USB port blockers or policy-controlled USB whitelisting on all workstations. Conduct regular physical inspection sweeps of cable runs, patch panels, and peripheral connections. Lock all communications closets and server rooms with audited access controls. Map and seal unused network ports in public and semi-public areas.

Line-of-Sight Information Spillage

The Observation: LED and LCD screens displaying sensitive information visible from exterior windows, public corridors, reception areas, and adjacent buildings. Modern high-resolution displays are readable with consumer-grade optics from distances exceeding 100 metres. Trading floor screens, executive dashboards, and project management boards positioned near windows create continuous information spillage that operates entirely outside the digital domain.

Risk Classification:Medium to High, depending on the classification of displayed information and the building's exposure geometry. Financial institutions, law firms, and defence contractors face elevated risk due to the high value of visible information.

Remediation Approach: Conduct line-of-sight surveys from all external vantage points, including adjacent buildings, public spaces, and elevated positions. Deploy privacy filters on screens in exposed positions. Implement architectural countermeasures: switchable privacy glass, automated blinds triggered by occupancy sensors, and screen orientation guidelines. For high-security areas, SAPP Security recommends TEMPEST-grade shielding in accordance with NATO SDIP-27 standards.

Tier 3

Tier 3: Advanced Espionage and State-Actor Threat Vectors

Tier 3 represents the apex of the proximity threat taxonomy: sophisticated, intelligence-grade attacks that exploit physics, electronics, and tradecraft to extract information from ostensibly secure environments. These vectors are associated with state-sponsored actors, organised corporate espionage operations, and advanced persistent threats (APTs) operating in the physical domain. Detection requires specialised equipment, trained operatives, and methodologies drawn from national-security-grade counterintelligence programmes.

Proximity Side-Channel Exploitation

Side-channel attacks exploit unintentional information leakage from physical systems. In the proximity context, these include:

  • Acoustic laser interferometry: a laser beam directed at a window pane detects micro-vibrations caused by speech within the room, enabling reconstruction of conversations from outside the building with no physical intrusion required.
  • Power-line audio injection: audio signals coupled onto building electrical wiring can be received by equipment connected to the same circuit, or conversely, audio can be extracted from power-line noise generated by equipment in the room.
  • Passive electronic surveillance devices: miniaturised bugs, GSM transmitters, Wi-Fi-enabled cameras, and devices disguised as everyday office equipment (power strips, USB chargers, smoke detectors). Modern implants can be as small as a grain of rice and operate for months on internal batteries or parasitic power drawn from nearby electronics.
  • Electromagnetic emanations (TEMPEST): electronic equipment emits electromagnetic radiation that can be intercepted and decoded to reconstruct displayed images, keystrokes, or processed data. TEMPEST attacks have been demonstrated against CRT and LCD monitors, keyboards, and even CPU operations from distances of tens of metres.

SAPP Security's TSCM methodology addresses Tier 3 threats through a combination of physical inspections, radio-frequency (RF) spectrum analysis, non-linear junction detection (NLJD), thermal imaging, and acoustic noise generation. Our operatives are trained to the standards referenced in ICD 705 (Intelligence Community Directive for physical security of Sensitive Compartmented Information Facilities) and employ equipment calibrated to detect emissions below the threshold of commercial-grade RF scanners.

For organisations requiring the highest level of protection, such as boardrooms used for M&A discussions, government SCIFs, and diplomatic facilities, SAPP Security delivers full TSCM sweeps combined with ongoing environmental monitoring, ensuring that the secure space stays clean between scheduled inspections.

Implementing Proximity Threat Management: The Three-Phase Approach

PASM is not a one-time audit. It is an operational discipline that must be embedded into an organisation's security culture and continuously refined. SAPP Security delivers PASM through a structured three-phase engagement model designed to take organisations from initial assessment through to continuous protection.

01

Initial Proximity Audit

2 – 4 weeks

Multidisciplinary team assesses all three tiers. Produces risk register, PRMS score, and prioritised remediation plan.

Photographic evidence portfolio
Vulnerability heat-map by zone
Compliance-mapped findings
Board-ready executive summary
02

Platform Onboarding

1 – 2 weeks

Audit findings digitised into the SAPP platform. Remediation tracking, workspace scoring, and system integrations go live.

Live remediation dashboard
Clean-desk compliance scoring
PACS / VMS / SIEM connectors
Credential lifecycle management
03

Continuous Protection

Ongoing

PASM transitions from project to continuous security function. Scheduled re-assessments, real-time alerts, and annual benchmarking.

Quarterly or biannual re-assessments
Real-time proximity event alerting
Annual PRMS benchmarking report
Workforce development programme

Phase 1: Initial Proximity Audit

The engagement begins with a thorough proximity audit that assesses the organisation across all three tiers of the attack taxonomy. SAPP Security deploys a multidisciplinary team combining physical security specialists, TSCM operators, and social engineering experts. The audit produces a detailed risk register, assigns a Proximity Risk Maturity Score (PRMS), and delivers prioritised remediation recommendations mapped to relevant compliance frameworks (ISO 27001, SOC 2, NIST SP 800-53).

Audit deliverables include a photographic evidence portfolio (redacted as appropriate), a heat-map of vulnerability concentrations by physical zone, and an executive summary designed for board-level consumption. Every finding is classified using SAPP's proprietary risk taxonomy: Critical, High, Medium, or Informational, each with clear remediation timelines and cost estimates.

Phase 2: Custom SaaS Onboarding

Following the initial audit, qualifying organisations are onboarded onto the SAPP Security platform, a purpose-built SaaS solution for continuous proximity threat management. The platform digitises the audit findings, tracks remediation progress against agreed timelines, and provides a living dashboard of the organisation's proximity risk posture. Key features include automated clean-desk (clear desk) compliance scoring, physical credential lifecycle management, and integration connectors for existing PACS, VMS, and SIEM systems.

Phase 3: Continuous Ecosystem Integration

Phase 3 transitions PASM from a project-based engagement to a continuous security function. SAPP Security provides scheduled re-assessment cycles (quarterly or biannual), real-time alerting on critical proximity events, and annual PRMS benchmarking reports for regulatory and board reporting. The continuous model ensures that new threats, such as building modifications, personnel changes, and technology deployments, are captured and assessed as they emerge, not discovered during the next annual audit.

Beyond the Framework: Continuous Value and Workforce Development

PASM is not a one-time audit. Once embedded, the framework becomes an ongoing programme that tracks remediation, measures attack surface reduction, and builds cross-functional skills across your physical security, IT, and facilities teams. In several client organisations, PASM adoption has led frontline staff to pursue further professional development in information security, moving from operational roles into advisory ones.

Read more: Continuous Value, Workforce Development, and Incentive Integration

PASM Service Components

Physical Security Audit

Full on-site assessment of physical controls, access management, and environmental vulnerabilities across all three tiers of the proximity attack taxonomy.

TSCM Bug Sweeps

Technical surveillance countermeasures using RF spectrum analysis, NLJD, thermal imaging, and physical inspection to detect and neutralise covert surveillance devices.

Executive Meeting Security

End-to-end protection for board meetings, deal rooms, and sensitive negotiations. Combines TSCM, access control, and real-time environmental monitoring.

Physical Penetration Testing

Authorised simulated intrusion testing of physical security perimeters, access controls, and social engineering resilience. Reveals how an adversary would exploit your proximity attack surface.

Insider Threat Management

Behavioural analysis, access governance, and physical monitoring protocols designed to detect and mitigate threats originating from within the organisation.

SAPP Security Platform

Purpose-built SaaS platform for continuous proximity threat monitoring, risk scoring, remediation tracking, and compliance reporting across your entire estate (facility/campus).

PASM vs TSCM: What Is the Difference?

TSCM detects bugs. PASM covers TSCM plus two additional attack surfaces most organisations overlook. See the full side-by-side comparison.

Beyond the Framework

How PASM delivers continuous value, workspace incentive integration, workforce development, and future-proofing against automation.

I built PASM because of the times we are heading into. Not every organisation can write and track policies fast enough for what is coming. So we keep it practical, we keep it close to the team, and we make it change with you. Your political situation, your security risks, wherever you are working from. That is what matters.

Marko Tuisk

PASM Framework Creator, SAPP Security

Frequently Asked Questions About Proximity Threat Management

What is Proximity Threat Management?
Proximity Threat Management (PASM) is the discipline of identifying, classifying, and neutralising security threats that exploit physical closeness to an organisation's people, assets, and infrastructure. Unlike traditional cybersecurity, which focuses on digital perimeters, PASM addresses the full spectrum of close-range attack vectors: behavioural lapses such as unattended credentials and hard-copy exposure, edge-device exploitation like unprotected USB ports and unhardened printers, and advanced espionage techniques including acoustic side-channel attacks and covert electronic surveillance. SAPP Security co-founder Marko Tuisk developed the PASM framework to fill the gap between network-layer defences and conventional physical guarding.
How does PASM differ from traditional cybersecurity?
Traditional cybersecurity protects the digital attack surface: firewalls, endpoint detection, intrusion prevention, and encrypted communications. PASM protects the physical attack surface, meaning the spaces, devices, and behaviours that surround your data before it ever reaches a network. A firewall cannot stop a visitor photographing a whiteboard, a cleaning contractor pocketing a USB drive, or a laser microphone aimed at a boardroom window. PASM closes these gaps by combining physical security auditing, technical surveillance countermeasures (TSCM), hardware hardening, and continuous behavioural monitoring into a single risk framework.
What industries need proximity threat management?
Any organisation handling sensitive data benefits from PASM, but it is essential for financial services (trading floors, deal rooms), legal firms (client-privileged communications), government and defence contractors (classified programmes), pharmaceutical and biotech companies (IP-heavy R&D labs), technology firms (pre-release product development), and critical national infrastructure (energy, telecoms, transport). Any sector subject to regulatory frameworks such as SOC 2, ISO 27001, NIST 800-53, or FCA requirements should integrate proximity threat management into its compliance programme.
What is Physical Data Loss Prevention?
Physical Data Loss Prevention (Physical DLP) extends the concept of digital DLP into the tangible environment. Where network DLP monitors data exfiltration via email, cloud uploads, or USB transfers at the software layer, Physical DLP addresses the channels that bypass digital controls entirely: hard-copy documents left on desks or in printers, screen content visible through windows or to shoulder-surfers, master access credentials stored insecurely, and removable media carried through physical egress points. Physical DLP is a core pillar of the PASM framework, combining policy enforcement, environmental design, and technical countermeasures to prevent data loss through proximity-based vectors.
How does the Proximity Risk Maturity Score work?
The Proximity Risk Maturity Score (PRMS) is a proprietary assessment metric developed by SAPP Security that quantifies an organisation's resilience against physical-proximity threats on a scale from Level 1 (Ad-Hoc) to Level 5 (Optimised). The score is derived from a weighted evaluation across multiple domains: physical credential management, hard-copy exposure controls, edge-device hardening, line-of-sight spillage, technical surveillance vulnerability, and insider threat governance. Each domain is scored individually and aggregated into a composite maturity rating. The PRMS provides a repeatable, auditable benchmark that boards and CSOs (CISOs) can track over time and use for regulatory reporting.
What compliance standards does PASM support?
The PASM framework directly supports compliance with ISO 27001 (Annex A physical security controls), SOC 2 Type II (physical and environmental safeguards), NIST SP 800-53 (PE family, Physical and Environmental Protection), ICD 705 (Intelligence Community physical security standards for SCIFs), CPNI guidance (Centre for the Protection of National Infrastructure), and GDPR Article 32 (appropriate technical and organisational measures). SAPP Security maps every finding from a proximity audit to the relevant control frameworks, enabling clients to demonstrate compliance during external audits and regulatory inspections.
How long does a proximity audit take?
A standard proximity audit spans two to four weeks depending on the scope. Week one covers scoping, stakeholder interviews, and documentation review. Weeks two and three involve on-site inspection across all three tiers: behavioural observation, technical hardware assessment, and advanced signal analysis. Week four is dedicated to report generation, risk scoring, and remediation planning. For large multi-site enterprises, SAPP Security can deploy parallel audit teams to complete assessments concurrently. Critical single-site assessments for pre-board-meeting or pre-deal scenarios can be expedited to five working days.
What is the difference between TSCM and PASM?
TSCM (Technical Surveillance Countermeasures) is a subset of PASM focused specifically on detecting and neutralising covert electronic surveillance devices, including audio bugs, hidden cameras, GSM transmitters, and RF implants. PASM is a broader discipline that covers TSCM alongside physical credential management, hard-copy data protection, edge-device hardening, line-of-sight security, insider threat behavioural analysis, and continuous monitoring. Think of TSCM as the advanced espionage detection layer within the wider PASM framework. SAPP Security delivers TSCM as a standalone service and as an integrated component of a full proximity threat management programme.
Can PASM integrate with existing security systems?
Yes. PASM is designed to complement and enhance existing security infrastructure rather than replace it. The SAPP platform integrates with physical access control systems (PACS), visitor management systems, CCTV (video surveillance) and VMS platforms, security information and event management (SIEM) tools, and identity and access management (IAM) solutions. Data from proximity audits feeds into your existing risk register and GRC platform. The goal is to extend your security operations centre's visibility into the physical attack surface, creating a combined view of both digital and proximity-based threats.
How do you handle insider threats in the physical domain?
Insider threat management in the physical domain requires a layered approach that combines environmental controls with behavioural analytics. SAPP Security implements zoned access architectures where sensitive areas require multi-factor physical authentication. We deploy tamper-evident controls on critical hardware, enforce clean-desk (clear desk) policies through automated compliance checks, and implement physical DLP at egress points. On the monitoring side, our platform correlates physical access logs with behavioural baselines to identify anomalous patterns, such as after-hours access to restricted areas, unusual print volumes, or credential sharing, and generates real-time alerts for security operations teams.

Protect Your Physical Attack Surface

Start Your Proximity Threat Assessment

Discover where your organisation is vulnerable to close-range information theft, insider threats, and advanced surveillance. Request a confidential proximity audit from SAPP Security.

Request a Proximity AuditExplore the SAPP Platform