Preparation
AI-Assisted Capability Development
Archive Data
Authorization Token Staging
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Data Obfuscation
Data Staging
Delegated Preparation via Artificial Intelligence Agents
Device Mounting
Email Collection
External Media Formatting
File Download
File Exploration
Hardware-Based Remote Access (IP-KVM)
Impersonation
Increase Privileges
IT Ticketing System Exploration
Joiner
Media Capture via External Device
Mover
Network Scanning
Observational Information Gathering
On-Screen Data Collection
Oversight Circumvention and Control Degradation
Persistent Access via Bots
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Remote Desktop (RDP)
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installation of Dark Web-Capable Browsers
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
Testing Security Controls
VPN Usage
- ID: PR040
- Created: 14th May 2026
- Updated: 14th May 2026
- Contributor: The ITM Team
Testing Security Controls
A subject deliberately performs a limited technical action to determine whether a security control, detection rule, workflow, or investigative process will identify, block, or escalate the behavior. The action may appear minor in isolation, but its purpose is to validate whether a later, more serious infringement can be conducted without detection or consequence.
This behavior is distinct from the Motive ‘Boundary Testing’, which describes the subject’s motive for testing organizational tolerance. 'Testing Security Controls' is the preparatory action itself: the subject probes a specific technical or procedural control to assess whether the organization detects, prevents, or responds to the activity.
Testing may involve sending a small file to a personal email account, uploading non-sensitive material to an unapproved cloud service, installing a minor unauthorized tool, accessing a restricted repository, printing a low-value document, using an unapproved browser extension, or attempting to bypass a proxy, DLP, CASB, EDR, or identity control. The subject may then wait to see whether they are contacted by security, management, HR, or another authority, or simply confirm whether the action succeeded.
Successful testing may increase confidence, refine the subject’s method, or identify a viable path for later data exfiltration, unauthorized access, policy circumvention, sabotage, or another infringement.
Investigative Relevance
Testing security controls is often visible through low-volume, low-impact actions that precede more serious activity. The key investigative feature is not the technical action alone, but the pattern of deliberate probing, success validation, delay, and later escalation.
Investigators should assess whether the subject conducted a small-scale action before a larger attempt, repeated similar activity across different channels, or paused after the test to observe whether a response occurred. A delay between the test and later infringement may indicate that the subject was assessing organizational reaction time, alert handling, or enforcement consistency.
Example Scenarios:
- A subject emails a harmless internal document to a personal account and waits several days before attempting to transfer sensitive files.
- A subject uploads a small non-sensitive file to an unapproved cloud storage platform to test whether DLP, proxy, or CASB controls block the upload.
- A subject accesses a repository outside their normal role scope and monitors whether an access review, manager notification, or security alert follows.
- A subject installs an unauthorized browser extension to determine whether browser or endpoint controls detect unapproved extension use.
- A subject compresses, renames, encrypts, or stages a small test file before applying the same method to sensitive data.