From Data Breach to Physical Harm: The Rise of “Violence-as-a-Service”
“Violence-as-a-Service” is no longer a plot for a thriller. It’s a documented, growing threat that security leaders must add to their risk models.
CrowdStrike’s 2025 European Threat Landscape report makes this new reality plain. Criminal networks are actively using platforms like Telegram to coordinate and contract real-world physical attacks, including theft, arson, assault, and intimidation, often tied to cryptocurrency extortion.
This isn’t an isolated trend. It’s the ugly but logical extension of the “enterprising adversary” model documented in CrowdStrike’s 2025 Global Threat Report. The cybersecurity landscape has shifted:
- Attacks are malware-free: In 2024, 79% of observed detections were malware-free. Attackers favor “hands-on-keyboard” techniques that blend in with legitimate activity.
- Social engineering is booming: Voice phishing (vishing) attacks saw a 442% growth spike between the first and second half of 2024.
- Access is a commodity: Advertisements from access brokers (criminals who sell footholds into corporate networks) increased by 50% year-over-year.
These trends create a specialized, outsourced economy for cybercrime. When that same market adds the option to hire physical “muscle,” the line between a digital compromise and street-level violence thins to non-existence.
The “No Scope” Fallacy
This shift demands that executives and technical leaders fundamentally rethink what they are protecting.
There’s a story that red teamer Chris Nickerson sometimes tells that perfectly illustrates this. During an engagement, a C-level told his team there was “no scope,” effectively inviting them to do whatever it took. Nickerson’s response was to ask if that meant kidnapping their child from school was on the table.
The room fell silent, and ground rules were quickly established.
The point was intentionally shocking but professionally critical: attackers do not have a scope document. They do not operate with rules of engagement. They will follow impact wherever it leads, and they will exploit human pressure points, not just technical ones.
We, as penetration testers, have ethical and legal limits. Our adversaries do not. When you sign a pentest agreement, you are choosing limits. Your leadership must understand that the real-world risk surface does not respect those limits. The data you treat as “merely sensitive” can become a trigger for intimidation or physical harm.
Practical Steps for Security Leaders
Your asset protection plan must now include physical risk. Your incident response plan can no longer stop at containment and remediation.
Here are practical steps every security leader should consider.
1. Expand Your Threat Model to Include Physical Outcomes
When mapping high-value digital assets, ask new questions. Don’t just ask, “Who loses money if this is exposed?” Ask, “Who might be threatened, targeted, or harmed?” Employee home addresses, executive travel calendars, and customer PII are no longer just compliance items. They are potential leverage for physical coercion.
2. Harden the Human Layer, Especially the Help Desk
The path to compromise often starts with a person. CrowdStrike highlights the increasing adoption of help desk social engineering, where attackers call IT support, impersonate an employee, and try to get a password or MFA reset. This is a cheap, effective precursor to a major breach. Strengthen identity verification, train staff on vishing and social engineering tactics, and log and monitor help desk activities for anomalies.
3. Coordinate Across Domains
Your IR playbook can’t just be for the IT team. A modern response requires coordination between:
- IT and Cybersecurity
- Physical Security and Facilities
- Legal and Compliance
- Human Resources
- Crisis Communications and Executive Protection
Establish points of contact with local law enforcement before you need them.
4. Run Adversary-Aware Tabletop Exercises
Your drills must evolve. Inject scenarios where a digital extortion event escalates into a credible physical threat against an executive or a facility. Test your newly coordinated, cross-domain playbook.
These exercises don’t have to be the boring academic drills you might be imagining. I’ve seen my wife run these tabletops for clients, and participants are often pleasantly surprised. They expect a dry, academic exercise but instead find it enlightening and even fun.
What makes the training stand out is her use of realistic “curveballs.” These are sudden events thrown into the scenario to shake things up. The difference is stark.
- A boring inject is purely technical: “The hacker has pivoted to another network segment.”
- A great curveball adds a chaotic, real-world dimension: “A reporter just called for a quote. They’re running a story at 4 PM with a list of ‘facts’ about the breach. You know the ‘facts’ are wildly inaccurate, but they sound horrible. What do you do?”
A boring inject just tests the technical team. That curveball tests the entire leadership team. It forces them to instantly balance correcting the record (PR) with responsible breach notification (Legal) and ensuring clients don’t hear about it for the first time on the news (Stakeholder Management). That’s the value of a facilitator who thinks like an adversary. They find the realistic possibilities that had never crossed anyone’s mind.
5. Scope for Reality, Not for Comfort
Use the Nickerson anecdote as a teaching tool. The goal isn’t just to set safety limits. The goal is to have an honest discussion about expanding your scope beyond a simple list of IP addresses.
Maybe kidnapping a C-level’s child is (and should be) out of bounds. But what about a physical intrusion into the office after hours? What about vishing calls to the help desk? What about targeting employee social media accounts? What about stealing employees’ access badges? If your pentests are scoped to be clean, technical, and comfortable, you aren’t testing for the real-world scenarios that CrowdStrike is reporting on.
This conversation also forces you to acknowledge the risk of your exclusions. If you explicitly tell a red team “physical intrusion is out of scope,” that’s your choice. But you must understand that an attacker will not follow your rules. Your “out of scope” list becomes a “what if” list for your defenders. You’re acknowledging a real attack vector that you have chosen not to test, so you’d better have a plan to detect and respond to it anyway.
The Bottom Line
We can’t keep defending as if the worst that can happen is lost revenue or a database leak. CrowdStrike’s reporting is a blunt reminder that adversaries are faster, quieter, and more businesslike. And for some of them, “business” now includes hiring people to cause physical harm.
If your incident response plan still reads like an IT runbook, you are behind. The modern threat is hybrid. Your defenses, your leadership, and your board must be hybrid as well.
Next Steps
If you want to treat this seriously, start with a small, cross-disciplinary workshop. Bring security operations, HR, legal, and facilities into one room. Run a single scenario: from a vishing call, to a data breach, to an extortion demand, to a physical threat.
Use that exercise to harden your incident response, identify your real-world gaps, and set realistic escalation thresholds.
