Breaking Physical Access Control: Electrical Fundamentals, RFID Credentials, and Hands-On Offense - Red Team Alliance - DCTLV2026

Name of Training: Breaking Physical Access Control: Electrical Fundamentals, RFID Credentials, and Hands-On Offense
Trainer(s): Red Team Alliance
Dates: August 10-11, 2026
Time: 8:00 am to 5:00 pm PT
Venue: Las Vegas Convention Center
Cost: $2,750 (USD)
Hardware: $670 (optional) - All students in class will be issued and make use of a Proxmark3 RDV4.01 with an array of test RFID credentials and re-writable RFID credentials, an ESPkey and service tools, and our custom RFID Door Simulator and workbench analysis unit.  If you wish to retain this equipment at the end of class, students may opt to pay this additional equipment fee during registration.

Short Summary:

Most security professionals have never received formal training on the physical access control systems they're paid to test. This two-day course fixes that with hands-on labs using real commercial hardware, covering everything from electrical fundamentals and sensor technologies to RFID credential attacks and Wiegand interception.

Course Description:

This two-day intensive combines Red Team Alliance's IDAC 101 (Access Control and Intrusion Detection: Common Concepts and Foundation) and PACS 201 (Physical Access Control Systems: Commercial Platforms and Designs) into a single, hands-on training package. Over two full days of instruction, students will build a comprehensive understanding of how physical security systems work from the ground up, then learn to identify and exploit weaknesses in commercial access control installations. This is the same curriculum used in RTA's professional training program, delivered at DEF CON for the first time as a combined package.

Physical access control is one of the most overlooked and misunderstood areas in security. Organizations spend millions on electronic locks, credentials, and alarm systems, yet the professionals tasked with testing these systems rarely receive formal training on how they actually work. This course changes that. Students will work with real commercial hardware, build circuits on trainer boards, intercept credential data, and clone RFID badges using industry-standard tools including the Proxmark3 RDV4, which is provided to every student during class.

Whether you are a penetration tester looking to expand into physical security, a red team operator building foundational skills, or a security consultant who needs to understand what you are assessing, this two-day program delivers the hands-on experience and conceptual depth that sets RTA training apart from conference talks and YouTube videos.

Course Outline:

#### Day 1: Intrusion Detection and Access Control Foundations (IDAC 101)

#### Low-Voltage Electrical Fundamentals

- Key Electricity Concepts for Physical Security Applications
- Voltage, Current, and Resistance in Low-Voltage Installations
- Power Supplies, Circuits, and Common Wiring Configurations

#### System Architecture: The Shared DNA of PACS and PIDS

- Both Platforms as Embedded Systems: Central Controller Boards Connected to Remote Low-Voltage Devices
- Input Devices, Output Devices, and Programmed Logic
- How Modern PACS Often Functions as a Superset of PIDS Capabilities

#### Sensor Technologies Common to Both Platforms

- Passive Infrared (PIR) Motion Sensors
- Magnetic Reed Switches and Door/Window Contacts
- Hands-On: Working with Common Sensor Components

#### Wiring, Terminations, and Field Installation

- Common Termination Types Encountered in the Field
- How Systems Are Designed, Wired, and Installed
- What Red Teamers Need to Recognize During Reconnaissance

#### Current-Sensing Loops and Supervision

- How Input Devices Use Current-Sensing Loops
- End-of-Line Resistors (EOLR): What They Are, How They Work, How to Identify Them, and Their Limitations
- Supervised vs. Unsupervised Circuits

#### Identifying PACS and PIDS in the Field

- Visual Hallmarks and Characteristics of Installed Systems
- Recognizing System Presence During Physical Assessments

#### Business Drivers and Design Constraints

- Why Physical Security Controls Are Designed the Way They Are
- Cost, Compliance, and Operational Factors That Shape Implementations

---

#### Day 2: Physical Access Control Systems (PACS 201)

#### PACS Architecture and Design Principles

- System Components: Credentials, Readers, Input Devices, Output Devices, Controllers, and Management Software
- Standalone vs. Non-Standalone Readers
- Centralized vs. Decentralized Authentication Architectures
- Review of Commercial Platforms Commonly Found Worldwide

#### Reader-to-Controller Communication

- The Wiegand Protocol: History, How It Works, Modern Usage, and Why It Is Vulnerable
- Wiegand Data Formats
- The Fundamental "Wiegand Problem" in Modern Installations
- Forward-Looking Protocols Such as OSDP, SSCP, and Others

#### Credential Technologies as a Concept

- How RFID Credentials Work: Power Harvesting, Data Transmission, and Reader Interaction
- Card and Technology Data Models
- Low-Frequency vs. High-Frequency Technologies

#### Introduction to the Proxmark3

- Hardware Overview and Setup
- Reading and Identifying Unknown Credentials
- Cloning and Emulation Fundamentals
- Building Your Credential Analysis Workflow

#### Commercial RFID Credential Technologies In-Depth

- Common Commercial Credential Formats and How They Differ
- Reading, Cloning, and Emulation Techniques
- Working with Writable Credentials

#### Wiegand Interception with ESPKey

- How the ESPKey Works
- Installation Points and Techniques
- Capturing and Replaying Credentials

#### Hands-On Labs Throughout

- Building and Testing Circuits on the Trainer Board
- Access Control Wiring and Component Installation
- Working with the RFID Door Simulator
- Credential Reading, Cloning, and Emulation Exercises

Difficulty Level:

Beginner to Intermediate 

Beginner Definition - The student has an interest in the topic presented and general technology knowledge that a power user or undergraduate student may have acquired.

Intermediate Definition - The student has education and some experience in the field and familiarity with the topic being presented. The student has foundational knowledge that the course will leverage to provide practical skills on the topic.

Suggested Prerequisites:

Although this course provides necessary material and context for physical security professionals of all levels, no prior experience with physical security systems is required.

What Students Should Bring: 

Computer with administrative access and permission to install software. Windows 11 is the official platform used in class. Virtual Machines and other operating systems have historically performed inconsistently with the software being used. Laptop should not be running in restricted "S Mode" for Windows.  Other operating systems are permitted, but students should understand that live technical support may not be available for OS-specific issues. Students may install the software on a Linux or MacOS system, as well, but those doing so should ensure that they have ready access to a native Windows 11 machine if it becomes needed.

If a student has their own Proxmark or FlipperZero that is fine, and we're happy to get these devices updated with the latest firmware and modifications, but classroom units of these and other tools and hardware will be available to all students.  If students have RFID credentials which they are particularly interested in exploring, they may also bring those for analysis at the end of class.

What the Trainer Will Provide:

The course price includes several components used throughout both days of instruction. All items are yours to keep for continued practice after class:

- Intrusion Detection and Access Control Trainer Board
- USB-C Power Supply with USB-PD Trigger Cable
- Commercial ANSI Electric Strike
- Commercial Door Position Indicators
- Hook-Up Wire and Field Terminators
- End-of-Line Resistor Variety Pack
- Magnetic Reed Switch with Trigger Magnet
- Mini Breadboard

For an optional hardware fee ($670), students can keep a kit that provides a complete RFID testing platform for continued practice after class. Students will receive access to this equipment during Day 2 of instruction, regardless of purchase:

- Standalone RFID Reader
- RFID Door Simulator
- RFID Testing Credential Pack
- ESPKey Wiegand Field Interception Tool

A Proxmark3 RDV4 will be provided to every student for use during class. Students who wish to purchase a Proxmark3 to keep will have the opportunity to do so.

Trainer(s) Bio:

Babak Javadi is the President and Founder of The CORE Group, and one of the original co-founding Directors of TOOOL, The Open Organisation of Lockpickers. As a keystone member of the security industry, he is well-recognized expert in professional circles hacker community. Babak's expertise extends to a wide range of security disciplines ranging from high security mechanical cylinders to alarm systems & physical access control systems. Over the past fifteen years Babak has presented and provided trainings a wide range of commercial and government agencies, including Black Hat, The SANS Institute, the USMA at West Point, and more.

Bryan Black is a seasoned physical security professional and esteemed assessment specialist with a comprehensive expertise spanning various facets of site security. His areas of specialization encompass video surveillance, intrusion detection/prevention, access control, network infrastructure, and penetration testing. With an illustrious track record of over a decade, he has collaborated closely with local and state law enforcement, federal and intelligence agencies, as well as prominent private sector corporations. Through these partnerships, he has been instrumental in advising clients and businesses on navigating the constantly evolving threat landscape. He is frequently acknowledged for his discerning critique of prevailing installations and practices within the industry. During his leisure hours, he leverages his engineering background and personal maker space to engage in product development. His endeavors encompass the meticulous design and refinement of innovative tools and procedures aimed at optimizing the efficiency and efficacy of both red and blue team engagement protocols.

While paying the bills as a physical penetration specialist with The CORE Group and the Director of Education for Red Team Alliance, Deviant Ollam also sat on the Board of Directors of the US division of TOOOL --The Open Organisation Of Lockpickers -- for 14 years... acting as the the nonprofit's longest-serving Board Member. His books Practical Lock Picking and Keys to the Kingdom are among Syngress Publishing's best-selling pen testing titles. In addition to being a lockpicker, Deviant is also a SAVTA certified safe technician, a GSA certified safe and vault inspector, member of the International Association of Investigative Locksmiths, a Life Safety and ADA Consultant, and an NFPA Fire Door Inspector. At multiple annual security conferences Deviant started Lockpick Village workshop areas, and he has conducted physical security training sessions for Black Hat, the SANS Institute, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the FBI, the NSA, DARPA, the National Defense University, Los Alamos National Lab, the United States Naval Academy at Annapolis, and the United States Military Academy at West Point.

Course Progression

Completing this two-day training fulfills both the IDAC 101 and PACS 201 prerequisites for Red Team Alliance's in-depth PACS program. After this course, students are prepared to advance to any PACS 21x Regional Course:

- PACS 212: North American Platforms and Credential Technologies
- PACS 213: European Platforms and Credential Technologies
- PACS 214: Australian Platforms and Credential Technologies

Only one regional course is required to progress to the PACS 22x series and beyond. Students interested in the Physical Intrusion Detection Systems (PIDS) track are also prepared to advance to PIDS 200-level coursework.

Registration Terms and Conditions: 

Trainings are refundable before July 11, 2026, minus a non-refundable processing fee of $250.

Between July 11, 2026 and August 5, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.

All trainings are non-refundable after August 5, 2026.

Training tickets may be transferred to another student. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification will be considered a no-show. No refund will be given.

DEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.