AI-Powered Application Penetration Testing—Scale Security Without Compromise Learn More

bishopfox-logo-grey
Get Started
Image
Episode 19  •  May 29, 2026  •  46 Min

Custom Payload Evasion, Chained Network-to-Physical Breach, and Satellite Hacking

When the Attacker Already Knows the Building

This week's episode is different. No headlines, no CVEs — just Bishop Fox Red Teamers: Brandon Kovacs, Leron Gray, Thomas Wilson, and Rob Antonucci, talking through what it actually looks like to operate at the intersection of AI, custom tooling, physical access, and adversary emulation.

AI is a force multiplier only if you already know what you're doing. The team was blunt: red teamers who aren't using AI to accelerate tool development are falling behind — not just in speed, but in the quality of coverage they're giving clients. The qualifier matters though. The value isn't in generating code blindly; it's in having a requirements document in your head and using AI to close the gap between knowing what you need and having the dev time to build it. Handcrafted artisanal code, as Leron put it, still beats slop — but now you can iterate toward it faster. The team also flagged a practical edge: vendor detection signatures are largely public, and AI knows them. You can now build tooling that avoids known patterns by design, not by luck.

Off-the-shelf tools get caught. Custom payloads don't. The era of downloading certify.exe and running it is over for real engagements. Rob walked through a project where the team had a clear domain admin path and couldn't execute it — because nothing they had would get past SentinelOne. That failure pushed Rob toward years of payload development work. The lesson the team drew wasn't defensive; it was about what that ceiling means for attackers: the floor for getting caught is rising, which means the operators worth worrying about are the ones who've already solved this problem before they show up.

Chaining network and physical is what a real nation-state looks like. The most technically impressive story from the session was an engagement for a high-profile energy-sector client where the team ran a full assume-breach-to-physical chain. They found a file share with home-encrypted credentials — key stored next to the ciphertext — cracked them, got to domain admin, pivoted to the physical access control servers, cracked the application hashes, and created fake employee records with photos, names, and door access. Brandon then walked into the building with a badge they'd minted, with an operator 3,000 miles away unlocking doors in real time from the compromised ACS. The real unlock: the SOC re-enabled the one payload S1 caught because the filename looked like a legitimate SQL DLL. Human review, human error, engagement survives.

Social engineering scales because humans haven't changed. AI now removes the language barrier from phishing entirely — not just translation, but naturalistic register, which is the thing that used to give foreign-origin attacks away. Thomas delivered a stack of pizzas to a New York skyscraper, bribed the lobby guard with a slice, and photographed the ethernet ports and desk layout while the internal contact went to get him a pen. The social engineering thread throughout the episode wasn't about tricks — it was about the consistency of human behavior under social pressure. People let the pizza guy in. People re-enable flagged payloads when the filename looks right. The technical controls aren't where the story ends.

Critical infrastructure is on the public internet and almost nobody has tested it. The team closed on a thread that ran through several stories: satellites accessible via public URLs, gas station fuel systems with no authentication, train control dashboards reachable from the open internet. Rob mentioned a recent engagement where they accessed a system that controlled currently-orbiting satellites — and the client's response was essentially: great finding, please stop immediately. Thomas pointed to the gap that these systems have been running for decades on protocols that predate modern security thinking — and most have never seen a pen tester.

The takeaway. The biggest breaches don't necessarily come from zero days. They come from the pizza guy, the re-enabled payload, and the satellite that's been on the internet since 2009.

Brandon Kovacs Headshot

Brandon Kovacs

Senior Security Consultant

Brandon Kovacs (CRT, OSCP) is a Senior Security Consultant at Bishop Fox, where he specializes in red teaming, network penetration testing, and physical penetration testing. As a red team operator, he is adept at identifying critical attack chains that an external attacker could use to fully compromise organizations and reach high-value targets.

To support physical and external testing, Brandon has built the 2023 edition of Bishop Fox’s Tastic RFID Thief to include Wi-Fi and remote control, allowing for more effective capture of RFID badges from a few feet away. He actively performs research and development into artificial intelligence for use in offensive security engagements.

Brandon is also recognized as a deepfake expert, conducting speaking sessions and live demonstrations at several global security and technology conferences. His research focuses on using AI and high-quality deepfakes to perform social engineering.

More by Brandon Kovacs
Leron Gray Headshot BF

Leron Gray

Senior Security Consultant - Red Team

Leron Gray is a Senior Security Consultant II on Bishop Fox's Red Team. He previously worked at Microsoft on the Azure Red Team and as a Cryptologic Technician (Networks) for the U.S. Navy.

Leron holds a Masters in Cyber Defense from Dakota State University and is a PhD candidate for Cyber Operations. He has a graduate certification in penetration testing and ethical hacking from SANS Technology Institute.

More by Leron Gray
Bfx25 Thomas Wilson Bio

Thomas Wilson

Senior Red Team Operator

Thomas Wilson is a senior red team operator at Bishop Fox and a musician. From IDEs to DAWs, he is as at home on his own computer as he is on someone else's. You can usually find him at the local card shop slinging spells, up on stage blasting tunes, or with his eyes glued to his monitor for hours at a time (thank goodness for blue light filtering lenses).

More by Thomas Wilson

Subscribe to our PODCAST

Real talk on the threats, trends, and tactics shaping security today

Listen Anywhere

Spotify iHeartRadio YouTube Apple Podcasts Amazon Music

Recommened Resources

You might be interested in these related Resources.

Datasheets

AI-Powered Application Penetration Testing Datasheet

AI-Powered Application Penetration Testing Datasheet

Most enterprises are managing dozens — sometimes hundreds — of applications with the same constrained budgets and headcount. Bishop Fox AI-Powered Application Penetration Testing delivers validated, expert-reviewed findings across your entire portfolio without the noise or overhead.

Download Datasheet
Guides

Secure AI-Assisted Development: 15 Guardrails for Shipping AI-Generated Code

Secure AI-Assisted Development: 15 Guardrails for Shipping AI-Generated Code

Before releasing AI-developed software, use our recommended security guardrails checklist to learn how to constrain generated code, enforce security controls, and prevent silent risk from prompt to production.

Read Guide
Reports

2026 GigaOm Radar for Attack Surface Management

2026 GigaOm Radar for Attack Surface Management

Get an overview of the 2026 Attack Surface Management (ASM) market — along with the key features and business criteria met by the top solutions — and learn why Bishop Fox was named Leader and Fast Mover by the analysts at GigaOm.

Read Report

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.