Walk through the lobby of any modern office building, stadium, hospital, or school and you will pass dozens of devices designed to keep people safe. Cameras watch the entry points. Badge readers control who gets through each door. Turnstiles count who goes where. Sensors monitor environmental conditions. Door locks respond to access decisions made milliseconds earlier by a system you never see.
These devices are the physical security fleet — and in most organizations, they are the least protected technology on the network.
Not because nobody cares. Because nobody thought to ask.
The Fleet Nobody Is Watching
Physical security devices share something in common with smoke detectors and emergency lighting: people trust them implicitly because they are always there. They are infrastructure. They get installed, configured, and largely forgotten — checked only when something visibly breaks.
But these devices are not passive hardware. They are networked computers. A door lock controller runs firmware with open network ports. A badge reader communicates with an access control server over TCP/IP. A security camera streams video to a cloud management platform using a documented API. A sensor reports environmental data on a schedule.
Each of these is a node on your network with the same fundamental vulnerabilities as any other: open ports, unpatched firmware, default credentials that were never changed, and the ability to communicate laterally once compromised.
The fleet that protects your building is itself unprotected. And most organizations have no visibility into whether any of it is behaving the way it should.
What Happens When a Device Is Compromised
The attack scenarios for physical security devices are not hypothetical. They are documented, repeatable, and increasingly common.
A camera becomes a foothold. Security cameras are among the most frequently compromised networked devices in the world — not because attackers want the footage, but because cameras are reliable entry points. Unpatched firmware, factory-default passwords, and minimal monitoring make them easy targets. Once inside a camera, an attacker has a persistent, authenticated presence on your physical security network from which they can map the environment, intercept management traffic, and look for higher-value targets.
A badge reader gets spoofed. Access control systems typically validate credentials by communicating between a reader and a central server. If that communication is unencrypted or authenticated only at connection setup, an attacker on the same network segment can intercept and replay valid credential exchanges — granting access without ever presenting a physical badge. The system logs show a valid credential. Nothing looks wrong.
A door controller receives forged commands. In a flat physical security network, anything that can reach the access control server can potentially issue door open or close commands. A compromised camera can become a door controller. A spoofed sensor can trigger false alarms. The logical and physical consequences become indistinguishable.
A sensor provides false data. Environmental sensors, occupancy detectors, and intrusion sensors report state to management systems that make real decisions. A sensor that has been compromised and is reporting fabricated data can suppress genuine alerts, trigger false evacuations, or mask an active intrusion.
The pattern is consistent: a device in your fleet gets compromised, and the attacker uses it not as an end in itself, but as a starting point for something worse.
Why Traditional Security Doesn't Reach These Devices
The honest answer is that most enterprise security tools were never designed for physical security infrastructure.
Endpoint detection and response platforms require software agents. You cannot install an agent on a badge reader or a door lock controller — these devices run stripped-down firmware with no accessible operating system layer. Network access control solutions depend on device compliance checks that assume the device can run code. VPNs assume the device has a user interface and a keyboard.
The result is a predictable gap. Managed laptops and servers get full protection. Physical security devices get none. The fleet that is most critical to the physical safety of your people sits in a security blind spot that no existing tool was built to address.
Threatmatic was.
Zero Trust for Every Device in the Fleet
Zero Trust Network Access (ZTNA) is built on a simple principle: nothing is trusted because of where it is. Trust must be earned, verified, and continuously maintained — by every device, on every connection, every time.
Applying this to a physical security fleet changes what security looks like for these devices fundamentally.
Cryptographic identity, not network position. A badge reader is not trusted because it is on the physical security VLAN. It is trusted because it holds a verified cryptographic identity that is checked on every communication. A device that has been compromised and is attempting to impersonate a legitimate reader fails identity verification even if it is physically in the same rack. Position means nothing. Identity means everything.
Explicit permissions, nothing else. Every device in the fleet is defined by what it is allowed to do — and nothing more. A camera is authorized to stream to its management platform, and nothing else. A badge reader is authorized to communicate with the access control server, and nothing else. A sensor is authorized to report to its designated receiver, and nothing else. Any attempt to communicate outside these explicit boundaries is blocked automatically and triggers an alert. An attacker who compromises a camera cannot use it to reach the door controller two network hops away.
Continuous verification, not point-in-time trust. Most security architectures authenticate a device at enrollment and then trust it indefinitely. Threatmatic verifies continuously. Every session, every handshake, every packet exchange is authenticated against the device's known identity and behavioral baseline. A device that begins behaving inconsistently with its baseline — regardless of its enrollment status — is flagged and isolated before the anomaly can cascade.
Agentless enrollment. None of this requires installing software on devices that can't run it. Threatmatic discovers and enrolls every device in the fleet through network-layer fingerprinting — identifying each device by manufacturer, device type, firmware version, and communication pattern without touching the device itself. The badge reader does not know it is protected. The attacker who tries to reach it finds every path cryptographically locked.
Privacy Enhancing Technology: Security Without Surveillance
Protecting a physical security fleet creates a privacy tension that most security vendors ignore.
These devices handle deeply sensitive data. Cameras capture footage of real people. Badge readers log every movement of every employee. Access control systems know exactly who went where and when. Biometric readers store physiological data that can never be changed if compromised.
Securing these devices traditionally means monitoring them — and monitoring them means creating or processing the very data that creates privacy liability.
Threatmatic resolves this tension with Privacy Enhancing Technology (PET) built into the security layer itself.
Device behavior, not device content. Threatmatic monitors the communication behavior of every device in the fleet — packet rates, protocol conformance, connection patterns, session timing — without ever inspecting the payload. A camera's video stream is never seen by the security layer. A badge reader's credential data is never accessed. Threatmatic knows that a device is behaving normally or abnormally without knowing what it is actually processing. Security is achieved through behavioral analysis, not content inspection.
Fully homomorphic encryption for fleet intelligence. Threatmatic can aggregate and analyze behavioral patterns across your entire device fleet — identifying anomalies, benchmarking performance, and surfacing threat signals — using fully homomorphic encryption (FHE). FHE allows computation to happen on encrypted data without decrypting it first. The analysis is real. The underlying data is never exposed. Your fleet becomes measurably more secure over time without creating a secondary data liability.
No PII stored, ever. Device identity in Threatmatic is cryptographic, not biographic. The platform does not need to know whose badge triggered a reader, whose face appeared in front of a camera, or whose biometric was enrolled in an access panel. It tracks device behavior — communication patterns, protocol conformance, session characteristics — without touching the personal information those devices process. No personally identifiable information passes through the Threatmatic monitoring plane. None is stored.
This combination — security that genuinely protects the fleet without creating new privacy exposure — does not exist in traditional physical security tools. It was designed specifically for environments where both safety and privacy are non-negotiable.
What Fleet-Wide Protection Actually Looks Like
Imagine the view a security operations team has with Threatmatic deployed across a fleet of 200 devices — cameras, badge readers, door locks, turnstiles, environmental sensors, and access control panels spread across a campus.
Every device is visible. Not just "is it online?" visible, but behaviorally visible — what it is communicating, who it is communicating with, whether its patterns match its established baseline. A camera that has never made an outbound connection to an IP address outside its management platform is flagged the moment it tries to. A badge reader whose communication volume suddenly spikes is isolated before anyone investigates manually.
Every device is isolated. Each device operates in its own cryptographic micro-zone, permitted only to communicate with explicitly authorized endpoints. Lateral movement — the primary technique attackers use to escalate from a compromised device to a broader intrusion — is structurally impossible. A compromised camera cannot reach the door controller. A spoofed sensor cannot reach the access control server.
Every event is logged. Every policy decision, permitted communication, blocked attempt, and anomaly detection is recorded with cryptographic integrity — each entry chained to the previous, making retroactive tampering detectable. When something happens, the evidence is already there.
And the fleet gets smarter. Behavioral baselines improve with time. Threat patterns identified across one deployment inform defenses across all deployments — without sharing any raw data, and without exposing any device's specific communication content.
Post-Quantum Cryptography: Built for the Threat Landscape That's Coming
Most physical security devices will be in service for ten to fifteen years. A badge reader installed today will still be controlling access to your facility in 2035. A camera deployed this quarter will still be on your network a decade from now.
That timeline matters because of a threat that is not hypothetical — it is scheduled.
Quantum computers capable of breaking classical encryption are coming. The current best estimate from NIST and leading cryptographers puts the risk window opening sometime in the next decade. When that window opens, every device on your network that is secured with classical cryptography — RSA, ECDH, the algorithms that underpin today's TLS and VPN stacks — becomes retroactively vulnerable.
Harvest Now, Decrypt Later (HNDL) makes this threat immediate, not future. Adversaries are capturing encrypted traffic from physical security networks today — access control logs, camera management streams, credential exchanges — with the explicit intention of decrypting it once quantum capability arrives. The data being collected now will be readable then. Classical encryption offers no protection against this attack.
Threatmatic's QSChannel™ addresses this directly.
QSChannel™ uses Post-Quantum Cryptography (PQC) natively — not as a bolt-on or an optional upgrade, but as the default encryption layer for every communication between every device in the fleet. QSChannel™ implements ML-KEM for key encapsulation and ML-DSA for digital signatures, both standardized by NIST under FIPS 203 and 204. These algorithms are designed to resist attacks from quantum computers.
Every session uses ephemeral keys. QSChannel™ generates a fresh cryptographic key pair for every session. No long-lived keys are ever reused. A device that is compromised in the future yields zero usable cryptographic material from any prior session. Traffic captured today cannot be decrypted later — not by a classical computer and not by a quantum one.
Asymmetric path isolation means outbound and inbound traffic travel on separate encrypted tunnels with independent keys. An attacker who intercepts one direction of a communication cannot reconstruct the full session. Session hijacking and man-in-the-middle attacks are mathematically impossible under this architecture.
For a physical security fleet with a decade-plus operational lifespan, deploying QSChannel™ today means the traffic those devices generate — credential exchanges, access logs, video management communications — is protected against threats that do not yet exist at scale but will.
The fleet you deploy today should still be secure in 2035. QSChannel™ ensures it is.
Deployment Without Disruption
The practical concern with applying new security infrastructure to a physical security fleet is disruption. These devices cannot go offline. Access control systems cannot have downtime. Security cameras cannot have gaps in coverage.
Threatmatic deploys in passive discovery mode first. During this period — typically one to two weeks — the platform observes and maps every device's communication patterns without enforcing policy. This builds the accurate behavioral baseline that makes enforcement precise when it activates. False positives are minimal because policy reflects observed reality, not theoretical assumptions.
When enforcement activates, the existing infrastructure is unchanged. No new network hardware. No reconfiguration of existing devices. No installation of agents. The fleet continues to operate exactly as it did — with every device now cryptographically identified, behaviorally monitored, and protected against lateral movement.
The Fleet Deserves the Same Protection as Everything Else
The cameras, badge readers, door locks, sensors, and turnstiles in your facility are not peripheral infrastructure. They are the primary defense layer for the physical safety of your people. The decision about who gets through a door, who gets flagged at a checkpoint, and who gets recorded entering a secure area flows through these devices every second of every day.
They deserve the same rigorous security that protects your servers, your endpoints, and your cloud workloads.
Threatmatic brings Zero Trust Network Access and Privacy Enhancing Technology to every device in the fleet — not as a retrofit, not as an add-on, but as a foundational security layer purpose-built for the environment where physical and digital security converge.
Every device in your fleet is a commitment to the people it protects. It is time to protect the devices too.
To see how Threatmatic secures physical security fleets in your environment, contact us or start a 14-day Silent Discovery Pilot.