What Is Tailgating? Security Definition
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
Tailgating happens when someone sneaks into a secure area by closely following a person who has the right access. The intruder takes advantage of the authorized person's politeness or distraction. This is a social engineering attack that bypasses electronic security systems. It is also called piggybacking in some contexts.
Commonly Confused With
Piggybacking is often used as a synonym for tailgating, but some sources define it as the authorized person knowingly allowing the person to enter, while tailgating is without knowledge. In most exam contexts, they are considered the same.
If an employee holds the door and says 'go ahead' to a person without a badge, that is piggybacking. If the person sneaks in while the employee is distracted, that is tailgating.
Shoulder surfing is looking over someone's shoulder to see their password, PIN, or confidential information. It does not involve physical entry. Tailgating is about gaining physical access to a restricted area.
An attacker watches someone type their ATM PIN-that is shoulder surfing. An attacker follows someone through a secure door-that is tailgating.
Pretexting is creating a fabricated scenario to obtain information or access, often over the phone or email. Tailgating may involve a pretext (like 'I forgot my badge'), but the key difference is the physical following action.
Calling an employee pretending to be from IT to get a password is pretexting. Following that employee through a door is tailgating.
Must Know for Exams
Tailgating is a frequently tested concept in IT certification exams, particularly in the security domain. For CompTIA Security+ (SY0-601 and SY0-701), tailgating appears under Objective 1.1: 'Compare and contrast different types of social engineering techniques.' It is listed alongside phishing, spear phishing, whaling, vishing, smishing, pretexting, and watering hole attacks. On the exam, you may be asked to identify tailgating from a scenario description or to choose the best mitigation technique. The exam expects you to know that tailgating is a physical social engineering attack, not a technical one.
For the CISSP exam, tailgating is covered in Domain 2: Asset Security, specifically under physical security controls. The exam may ask candidates to recommend physical security measures to prevent unauthorized entry, and tailgating is a key threat to consider. CISSP questions often focus on layered defenses, so you might need to differentiate between preventive controls (mantraps, turnstiles) and detective controls (CCTV, guards).
For the CEH (Certified Ethical Hacker) exam, tailgating is part of the social engineering module. CEH exam questions may describe a penetration test scenario where the tester attempts tailgating to gain physical access. The candidate must understand the attack vector and the countermeasures. For the SSCP exam, tailgating appears in the Access Controls domain, often in questions about physical access controls and monitoring.
Even in network-focused exams like CCNA, tailgating is sometimes addressed in the context of physical security for network equipment. A question might ask about the best way to secure a wiring closet, and the correct answer could include preventing tailgating with a proper access control system. The key exam takeaway is that tailgating is a human vulnerability, not a system vulnerability. Mitigations always involve user awareness, training, and physical barriers rather than technical patches or software updates. Knowing that tailgating belongs to the social engineering family helps you eliminate answer choices related to technical exploits.
Simple Meaning
Imagine you are walking into your office building. You scan your ID badge at the door to unlock it, and you step inside. As you hold the door open, someone you do not recognize walks in right behind you, smiling and pretending to be in a hurry. You don't want to be rude, so you let them in. That person is tailgating. They did not use a badge. They did not enter a code. They simply used your valid access to get past the security door.
Tailgating is a form of social engineering because it relies on human behavior rather than hacking a computer or cracking a password. The intruder might carry a box, pretend to be on the phone, or claim they forgot their badge. The goal is to look like they belong so that the authorized person does not challenge them. This attack does not require technical skill, but it can defeat some of the most expensive security systems. A fingerprint scanner or a key card lock is useless if someone holds the door open for an unauthorized follower.
In IT, tailgating is a major concern because once an intruder is inside a building or a server room, they can steal equipment, install malware, access sensitive data, or eavesdrop on conversations. Physical security is often called the first layer of defense, and tailgating directly attacks that layer. Organizations try to prevent tailgating with policies, mantraps, security awareness training, and turnstiles. But the human element remains the weakest link. For IT certification exams, you need to understand that tailgating is a physical security threat that belongs to the social engineering family, alongside phishing and pretexting.
Full Technical Definition
Tailgating, also known as piggybacking, is a physical security attack in which an unauthorized individual gains entry to a restricted area by following closely behind an authorized person. This attack exploits the access control mechanisms of a facility, such as card readers, biometric scanners, or keypads, by bypassing the authentication step entirely. The intruder does not present any credentials; instead, they rely on the authorized person to complete the authentication process and then physically enter the secured space before the door or gate closes.
From an information security perspective, tailgating falls under the category of social engineering and is addressed in frameworks such as the ISO 27001 standard, which requires organizations to implement physical security controls to protect information assets. The attack vector is not technical but rather psychological, leveraging social norms like politeness, helpfulness, or fear of confrontation. Common scenarios include an intruder carrying a heavy box, wearing a fake uniform, claiming to have forgotten their badge, or simply acting as if they are in a hurry.
Countermeasures against tailgating involve a combination of technical controls and procedural policies. Technical controls include mantraps, which are small rooms with two sets of interlocked doors that allow only one person to pass at a time. Turnstiles and full-height revolving doors also prevent multiple people from entering on a single credential. Some modern access control systems use optical turnstiles that detect if more than one person passes through after a single authentication. Video surveillance can be used to record and audit entries, but it is a detective control, not a preventive one.
Procedural controls include security awareness training that teaches employees to challenge unknown individuals and to close doors behind them. Some organizations enforce a 'no tailgating' policy with clear consequences for violations. In high-security environments, guards may be positioned at entry points to enforce strict one-person-per-authentication rules.
For IT professionals, tailgating is relevant because it can lead to data breaches, theft of hardware, or the installation of rogue devices such as keyloggers or wireless access points. In exam contexts, tailgating is often contrasted with other physical attacks like dumpster diving or shoulder surfing. Understanding that tailgating is a human-focused attack-not a technical exploit-is crucial for selecting the appropriate mitigation strategies.
Real-Life Example
Think about a busy coffee shop during the morning rush. The line to order is long, and people are hurrying. There is a door next to the counter that leads to a back room where the employees keep the coffee beans, cash, and schedules. Only employees are supposed to go through that door. They have to tap a key card to unlock it. One regular employee, Steve, taps his card and opens the door. A woman in a uniform that looks similar to the shop's uniform walks quickly toward the door, holding a cardboard box. She says, 'Oh, thanks, I forgot my card.' Steve, not wanting to delay his break and thinking she is probably a new hire, holds the door for her. She goes in. She is not an employee. She is a competitor trying to steal the shop's supplier list.
This is tailgating in a real-world, everyday setting. The security door worked perfectly. Steve's card authenticated just fine. But the human weakness-Steve's politeness and his assumption that the woman belonged-allowed the breach. The attack did not require hacking the card system or picking the lock. It required only a box, a smile, and a believable story. The same thing happens in office buildings, hospitals, and data centers every day. An intruder may pretend to be a delivery person, a janitor, or a contractor. The authorized person often feels awkward about refusing entry, especially if the intruder appears confident and carries something that looks official.
Mapping this to IT physical security: the door is the access control system, Steve is the authorized user, and the woman is the threat actor. The vulnerability is the human tendency to trust and to avoid conflict. The asset at risk is the information or equipment inside the protected area. To prevent this, organizations train employees to politely refuse and to report anyone who tries to tailgate. Some install mantraps that make tailgating physically impossible. But the simplest fix is a culture where it is okay to say, 'I am sorry, I need to see your badge first.'
Why This Term Matters
Tailgating matters because it undermines the entire physical security infrastructure of an organization. Companies invest heavily in electronic access control systems-badge readers, biometrics, PIN pads-but if an employee holds the door open for a stranger, all of that investment is wasted in seconds. From an IT perspective, physical access to a facility often leads directly to logical access to systems. An intruder who gets into a server room can plug in a USB device loaded with malware, connect a rogue laptop to the network, or simply steal a hard drive containing sensitive data. Tailgating is one of the easiest ways to bypass all network firewalls and encryption because the attacker never touches the network-they touch the people.
In the context of security compliance, many standards require organizations to maintain physical access logs and to ensure that only authorized individuals are in secure areas. Tailgating breaks that chain of accountability. If an intruder enters without being logged, there is no record of their presence, making forensic investigations after a breach nearly impossible. For IT auditors, tailgating is a frequent finding in penetration tests. Red teams often test whether they can tailgate into a building, and if successful, they demonstrate a serious gap in security awareness.
For IT certification candidates, tailgating appears in exams like CompTIA Security+, CISSP, and CEH as a specific social engineering technique. Understanding tailgating helps you see security as a layered discipline, not just a collection of firewalls and antivirus software. The human layer is just as critical. Knowing how to prevent tailgating-through policies, training, and physical barriers-is a core competency for any security professional. Failure to address tailgating can lead to severe data breaches, legal liability, and loss of customer trust. That is why this simple attack is never dismissed as trivial in serious security discussions.
How It Appears in Exam Questions
In IT certification exams, tailgating typically appears in scenario-based questions rather than direct definition questions. A common pattern is a descriptive paragraph about a security incident, and you are asked to identify the attack type. For example: 'An employee holds the door to a secure area for a person carrying a large delivery box. The person does not have a badge and claims to have forgotten it. Which type of social engineering attack is this?' The correct answer is tailgating. Distractors often include shoulder surfing, piggybacking, or phishing. Note that piggybacking is essentially the same as tailgating, but some exams make a subtle distinction-piggybacking may imply the authorized person gave permission, while tailgating occurs without the authorized person's knowledge. Most modern exams treat them synonymously, but you should check the specific exam's interpretation.
Another question pattern involves mitigating tailgating. You might be asked: 'Which physical control is most effective at preventing tailgating?' Options could include mantraps, CCTV, access control vestibules, or security guards. The best answer is usually a mantrap or a turnstile that allows only one person to pass per authentication. A variation asks about procedural controls, such as requiring employees to challenge unknown individuals or reporting suspicious behavior. Sometimes the question combines tailgating with another concept, like dumpster diving or pretexting, to test your ability to differentiate.
In more advanced exams, you may see a question about a security assessment where a red team member successfully gained entry to a server room by tailgating. The question then asks: 'What is the best recommendation to prevent this in the future?' The correct answer should address both technical controls (install a mantrap) and training (conduct security awareness sessions). Some questions test your knowledge of the difference between tailgating and shoulder surfing: shoulder surfing is looking at someone's screen or keypad, while tailgating is following them through a door. Reading the scenario carefully is critical because exam writers often include small details that point to one attack over another.
Finally, some questions address the impact of tailgating. For instance, 'An unauthorized person gains access to a data center via tailgating. What is the most likely immediate risk?' The answer would involve physical theft, installation of rogue devices, or unauthorized access to systems. Exam writers want you to connect physical security breaches to information security risks.
Practise Tailgating Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are the IT security intern at a medium-sized company. Your manager asks you to walk around the facility and check for security weaknesses. As you approach the main entrance, you notice a badge reader on the door. Every employee must swipe their badge to enter. A woman in a business suit walks up to the door, swipes her badge, and the door clicks open. As she pulls the door, a man behind her-who did not swipe any badge-quickly steps forward and catches the door before it closes. He slips inside behind the woman. She does not seem to notice him. The man is not carrying any visible equipment, but he walks confidently toward the elevator bank.
You realize that this person has just tailgated his way into the building. You note the exact time, the door used, and a description of the man. You report this to your manager immediately. Later, the security team reviews the CCTV footage and confirms that the man did not have a visitor badge and did not sign in at the reception desk. This incident reveals a serious gap in the company's physical security. The badge reader and door lock functioned perfectly, but there was no barrier to prevent multiple people from entering on a single credential. The company decides to install a mantrap at the main entrance. The mantrap is a small room with two doors. The first door opens after a badge swipe, but the second door will not unlock until the first door is fully closed and the weight sensor confirms only one person is inside. This makes tailgating nearly impossible.
This scenario shows how a simple physical vulnerability can be exploited by any motivated attacker. Even without high-tech tools, an intruder can bypass security just by being quick and unnoticed. The incident also highlights the importance of layered security-the badge reader alone was not enough. The mantrap added a physical barrier that eliminated the human factor. As an IT professional, recognizing such vulnerabilities and recommending concrete solutions is part of your role.
Common Mistakes
Thinking tailgating is the same as shoulder surfing.
Shoulder surfing involves looking over someone's shoulder to obtain information like a password, not physically following them through a door.
Remember: tailgating is about physical entry; shoulder surfing is about visual observation.
Believing that tailgating only happens in large corporations.
Tailgating can happen anywhere with restricted access, including small offices, server closets, and even home offices with security doors.
Recognize that any physical access control can be bypassed through tailgating, regardless of size.
Assuming that a badge reader alone prevents tailgating.
A badge reader only authenticates one person at a time; it does not prevent an unauthorized person from slipping in behind the authorized user.
Understand that electronic locks must be paired with physical barriers like mantraps or turnstiles to stop tailgating.
Confusing tailgating with piggybacking as completely different attacks.
While some sources distinguish piggybacking (with consent) from tailgating (without consent), many exams and textbooks use them interchangeably.
Check the specific exam's definitions. In general, treat them as the same social engineering tactic during multiple-choice questions.
Thinking tailgating is a technical attack that requires hacking skills.
Tailgating relies on human psychology, not technical exploits. No code, tools, or hacking skills are needed.
Classify tailgating as a social engineering attack, not a network or software attack.
Exam Trap — Don't Get Fooled
{"trap":"A question describes an attacker who follows an employee into a secure area after the employee has authenticated with a badge. The answer choices include 'tailgating,' 'piggybacking,' and 'shoulder surfing.'","why_learners_choose_it":"Learners often confuse 'shoulder surfing' because they think the attacker is 'looking over the shoulder' of the employee.
But shoulder surfing is about observing a screen or keypad, not following through a door.","how_to_avoid_it":"Read the action carefully: if the attacker is entering a restricted area by following someone, it is tailgating or piggybacking. Shoulder surfing involves stealing information by sight, not gaining physical access."
Step-by-Step Breakdown
Identify the target area
The attacker selects a restricted area such as a server room, office floor, or data center. They observe the entry point and the behavior of authorized personnel.
Wait for an authorized individual
The attacker positions themselves near the door and waits for an employee who will use their credentials to unlock it. The attacker appears engaged in a phone call or carries an object to look busy.
Approach the door as it opens
As the authorized person swipes their badge or uses biometrics, the attacker moves quickly toward the door, pretending to be in a hurry or distracted.
Enter behind the authorized person
The attacker slips through the door before it closes, often without any verbal interaction. They may rely on the authorized person not noticing or not wanting to be confrontational.
Blend in after entry
Once inside, the attacker acts as if they belong-walking confidently, looking at their phone, or heading toward a specific area. They may continue to deeper secure zones if possible.
Execute the malicious objective
The attacker now has physical access. They may steal equipment, install a rogue device, access sensitive data, or simply gather information for a future attack.
Practical Mini-Lesson
As an IT professional, you need to understand that tailgating is not just a security team issue-it affects everyone responsible for protecting information assets. In practice, preventing tailgating starts with a risk assessment of your facility. Identify all entry points to sensitive areas like server rooms, network closets, project offices, and even break rooms that house shared printers with access to confidential documents. For each entry point, evaluate whether a simple door with a badge reader is sufficient or whether you need a higher level of control.
For high-security areas, implementation of a mantrap is the gold standard. A mantrap is a small vestibule with two doors controlled by an access control system. The first door requires authentication to open, and the second door will not unlock until the first door is closed and often until a weight sensor confirms only one person is present. This physically prevents two people from entering on one credential. However, mantraps are expensive and may not be practical for every door. Alternative solutions include turnstiles and full-height revolving doors that physically prevent more than one person from passing per rotation.
Another practical measure is security awareness training. Employees should be trained to politely refuse to hold doors for anyone they do not recognize. They should also be encouraged to report tailgating attempts without fear of being rude. Some organizations implement a 'no tailgating' policy that includes disciplinary action for employees who repeatedly violate it. Guards posted at main entrances can also act as a deterrent, but they must be trained not to let their own politeness override security.
What can go wrong in practice? If you only rely on a badge reader without physical barriers, tailgating is trivially easy. If you install a mantrap but do not maintain the weight sensors or door interlocks, they may fail and create a false sense of security. If you train employees but do not test them with drills or red team exercises, the training may not stick. The most common failure is that security policy is written but not enforced. Professionals should regularly audit physical access logs, look for anomalies, and test tailgating defenses through penetration testing. Remember that tailgating can also be combined with other social engineering tactics, like pretexting, which makes it even more dangerous. A good physical security plan treats tailgating as a credible threat and addresses it with layered defenses: technology, policy, and human vigilance.
Memory Tip
Remember 'Tails', Tailgating is sneaking in the back, like a tail, by following someone through a physical door. It's physical, not digital.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
220-1102CompTIA A+ Core 2 →SY0-701CompTIA Security+ →CS0-003CompTIA CySA+ →SC-900SC-900 →CDLGoogle CDL →ISC2 CCISC2 CC →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
SY0-601SY0-701(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
Frequently Asked Questions
Is tailgating the same as piggybacking?
In most IT certification exams, they are considered the same attack. Some sources differentiate piggybacking as the authorized person knowingly letting someone in, while tailgating is without knowledge, but exam questions usually use them interchangeably.
Does tailgating only happen at building entrances?
No, it can happen at any secure door, including server rooms, wiring closets, laboratory doors, and even elevator access into restricted floors.
Can a security camera prevent tailgating?
A camera is a detective control, not a preventive one. It can record the incident, but it does not stop tailgating from happening. You need physical barriers or guards for prevention.
What is the best way to stop tailgating?
The most effective control is a mantrap or turnstile that allows only one person to pass per credential. Combined with employee training, it provides strong prevention.
Why do employees fall for tailgating?
Employees often want to be polite, avoid conflict, or assume the stranger is a colleague. Attackers exploit this by acting confident and carrying objects that look official.
Is tailgating tested on the CompTIA Security+ exam?
Yes, it appears in the social engineering section. You should be able to identify tailgating from a scenario and recommend appropriate mitigation techniques.
Summary
Tailgating is a simple but effective physical social engineering attack that bypasses electronic access controls by exploiting human behavior. It occurs when an unauthorized person follows an authorized individual into a restricted area, often without the authorized person's knowledge. This attack is a core concept in IT security certifications because it highlights the critical importance of the human layer in security. No amount of encryption or firewalls can protect data if an attacker can walk into a server room unimpeded.
Preventing tailgating requires a combination of technical controls, such as mantraps, turnstiles, and access control vestibules, along with procedural controls like security awareness training and strict policies. For exam purposes, you need to differentiate tailgating from similar attacks like shoulder surfing and pretexting. Remember that tailgating is a physical entry technique, not a method of information theft. The most common exam traps involve confusing tailgating with shoulder surfing or failing to recognize that a badge reader alone is not sufficient to prevent it.
The bottom line: tailgating is a threat that every IT professional should take seriously. It is one of the easiest ways to compromise physical security, and it is tested across multiple certification exams. Understanding how it works, how to prevent it, and how to recognize it in exam scenarios will serve you well both in your certification journey and in your career. Stay vigilant, and never hold the door for strangers.