3 ways to obtain sensitive client data

Network-based tactics. This may include network enumeration, vulnerability scans (both network layer and application layer), and exploitation of vulnerabilities discovered. Social engineering. This may include phone-based phishing, email-based phishing, or even in-person social engineering. Physical intrusion. This may include picking locks, climbing through ceilings, or draping carpet over barbed wire fences and climbing over.

At any point in the red teaming process, any of these tactics can be performed interchangeably, depending on what leads us to our goal in the most effective way.

For example, during an assessment, we may perform network recon of the client's network perimeter and find that it’s locked down. At that point, if the client is permitted on-site assessment techniques, we may pose as a key figure that others typically trust (e.g., mail carriers, a key figure's relative) to gain entry inside the perimeter. With physical access, we would then be able to establish a foothold into the network (perhaps attach a wireless device to their network), from where we would do further recon.