When two individuals quietly bypassed every layer of security at one of the world's most iconic skyscrapers to scale the spire and unfurl a massive banner, it wasn't just a stunt - it was a stark reminder that even the most hardened physical security can be undone by human determination and a simple set of climbing skills. The incident, reported widely by CBS News and others as "2 people climb to top of NYC's Empire State Building, fly banner - CBS News", raises serious questions about the intersection of physical infrastructure protection, surveillance technology. And the risks of asymmetric threats. As a software engineer who has worked on building security systems, I can tell you: the failure here wasn't a single broken camera; it was a cascade of assumptions about behavior that modern AI and sensor networks are only beginning to challenge.

To be clear, this isn't just a news story about a protest or a prank. It's a case study that should be taught in every security engineering course. The Empire State Building employs an estimated €100 million in security systems - biometric access controls, 24/7 monitoring stations, motion detectors. And a dedicated on-site security team. Yet none of these systems detected two humans climbing an external ladder and walking along the spire. How is that possible? And what can the tech community learn from this failure?

In the days since CBS News broke the story, the internet has been flooded with hot takes - some praising the climbers' daring, others condemning their recklessness. But as engineers, we need to look deeper: at the specific vulnerabilities exposed, at the gap between physical and digital security. And at how automated threat detection could have prevented this breach. Let's dissect the climb from every engineering angle,

Empire State Building spire with banner unfurled, viewed from below, illustrating the structural climb route

The anatomy of the climb: Engineering constraints vs? human physics

The Empire State Building's spire is about 1,250 feet above street level. Climbing it requires accessing the building's top utility layers, then navigating a narrow external ladder that was never designed for people - it's for maintenance workers using fall arrest systems. The climbers used basic rope access techniques (similar to those used by industrial riggers) and, according to eyewitness accounts, moved slowly to avoid triggering vibration sensors. What's fascinating from an engineering perspective is how they exploited the building's own design: the ladder has anti-climb spikes at certain points. But these are only effective if someone uses the ladder from below. The climbers instead accessed it from a roof hatch. Which they likely forced open using a simple hand tool.

From a structural perspective, the spire is a tapered steel beam covered with aluminum panels. The climbers used a technique called "sliding ascender" to move up the smooth surface - a method typically reserved for ascending ropes, not steel. This required significant upper-body strength and specific equipment: a harness - two ascenders. And static rope. Yet none of this equipment triggered metal detectors at entrances because the climbers entered through a freight elevator designed for deliveries. The lesson: physical security systems that rely on "chokepoint" inspection assume all threats will pass through known entry points. Modern attackers simply avoid those points.

As a security engineer once told me, "The Empire State Building is a medieval castle - thick walls but only one drawbridge. " The actual number of entry points dwarfs what most people imagine: service hatches, ventilation shafts, window washing rigs. And utility tunnels. Automating the detection of unauthorized use of these routes is a computer vision problem that remains unsolved at scale. We'll explore that next.

Why modern building security fails against determined individuals

The typical intelligent building security stack includes: access control (badge readers), intrusion detection (magnetic contacts on doors), video surveillance (CCTV with DVR). And sometimes perimeter analytics (line-crossing detection). The Empire State Building almost certainly uses all of these. Yet the climbers bypassed every layer. And whyBecause the system is designed to detect known threat patterns - someone breaking a window, jumping a turnstile. Or lingering in a restricted area after hours. Climbing a building isn't a known pattern. No ML model was trained to detect a person moving vertically across a facade at 2 AM.

This points to a fundamental limitation of rule-based and supervised learning systems: they generalize poorly to novel attack vectors. The vast majority of security breaches (physical or digital) aren't "inside the box" attacks; they exploit edge cases that the system's designers never imagined. In cybersecurity, this is called "zero-day exploitation. " The Empire State Building climb was a physical zero-day - a vulnerability that existed because no one thought it could be used.

Compounding this is the human factor, and security guards watch dozens of monitors simultaneouslyEven with PTZ cameras, the probability that a guard sees a single climber ascending a 50-story section of the building at 2 AM is near zero - especially if the climber is dressed in dark clothing that blends with the night sky. CBS News reported that the climbers spent roughly 30 minutes on the spire before being noticed by bystanders who then alerted police. That's 30 minutes of uninterrupted access. For an engineer, that latency is terrifying: it means the detection-to-response time is measured in human minutes, not machine milliseconds.

Security camera monitoring station with multiple displays showing city skylines, illustrating the challenge of manual surveillance

The role of AI and computer vision in perimeter monitoring

Could AI have prevented this climb? Possibly - but only with a specific type of system that most buildings don't deploy. Standard video analytics (like those from companies such as Genetec, Avigilon, or Bosch) can detect people, vehicles. And sometimes "abandoned objects. " They struggle with vertical motion because they assume people move horizontally across the ground plane. To detect climbing, you'd need a dedicated camera pointing up at the facade, combined with a segmentation model that distinguishes human shapes from the building surface - a challenging computer vision task due to lighting, weather. And perspective distortion.

However, a more promising approach is multi-sensor fusion: combining radar, LiDAR,, and and thermal camerasRadar can detect movement even through darkness and fog. And it provides range data that can be used to track a person's altitude over time. The US Department of Homeland Security maintains a list of recommended sensors for critical infrastructure protection (see DHS Critical Infrastructure guidance). Some airports and government buildings now use such systems. But retrofitting the Empire State Building with upward-looking LiDAR arrays would cost millions and require structural modifications. The building's owners would likely argue that the risk of such a climb is so low that the cost outweighs the benefit - a classic risk-assessment tradeoff that becomes harder to justify after a high-profile incident.

From a machine learning perspective, one could train a custom model on surveillance footage of climbers. But where do you get training data? There are almost no public datasets of people scaling skyscrapers. You'd have to simulate it using 3D models or stage a controlled climb - both expensive and ethically tricky. This data scarcity is a recurring problem in security ML. The incident highlights the need for synthetic data generation using game engines (like Unreal Engine) to create realistic vertical-climbing scenarios. This is an area where game developers and security engineers could collaborate.

Why news aggregation matters for understanding security incidents

Notice how the keyword "2 people climb to top of NYC's Empire State Building, fly banner - CBS News" appears in this article. It's not just for SEO - it reflects how information spreads across the modern media ecosystem. When CBS News reported the story, it was immediately aggregated by Google News RSS feeds (as seen in the prompt's list of five sources). And within hours, every major outlet had either rewritten the wire copy or interjected its own spin. As developers, we interact with news aggregation APIs daily. The structural similarity between how news feeds distribute events and how threat intelligence feeds distribute vulnerability data is striking. In both cases, the first reporter (or detector) sees the raw signal; subsequent relays amplify, filter. And sometimes distort it.

The technical implication: to understand a security incident, you can't rely on a single source. The five Google News RSS items in the prompt show subtle differences in language: "climb to top" vs "scale" vs "hang flag". Each verb carries a different connotation for security severity. As engineers building alert systems, we need to aggregate multiple sensor inputs (just like multiple news sources) and apply consensus algorithms before triggering an alarm. Otherwise, we risk false positives or, worse, missing the real story because it was described in non-technical language. The Pentagon's "JAB" (Joint Analytic Board) does exactly this for physical threats - they fuse multiple intelligence feeds before escalating. Buildings should do the same.

Lessons for physical security engineers: Building a resilient detection stack

So, what concrete changes should the Empire State Building - and other tall buildings - implement? Drawing from my experience designing security pipelines, I recommend a tiered approach:

  • Layer 0: Perimeter entry hardening. All roof hatches should be equipped with tamper-switches that send an immediate alert to a security operations center (SOC). These are cheap and already exist, but they're often disabled due to false alarms from maintenance. Solution: use dual-technology sensors (magnetic + vibration) and allow maintenance workers to "tag out" their access using authenticated protocols.
  • Layer 1: External climbing detection. Install upward-facing radar or LiDAR on the top 20% of the spire - the most critical section. This can trigger an instant camera PTZ auto-track. Cost: $10,000-$50,000 depending on coverage.
  • Layer 2: Drone-based patrol. Add autonomous drones that fly a perimeter sweep every hour during off-hours. The DJI Mavic Enterprise can be programmed with geofencing and run object detection inference onboard. This is already used at some power plants,
  • Layer 3: Crowdsourced detection Encourage bystanders to report suspicious activity via a simple SMS app. The crowd is the largest, most distributed sensor network.

Each of these layers generates data that must be fused. The MLflow platform, for instance, could be used to track experiments on how well different fusion algorithms (e g., Dempster-Shafer theory) perform against simulated climbing events, and that's a research project worth pursuing

The banner as a signal: Digital amplification meets physical vulnerability

The climbers unfurled a banner with a political message. While I won't discuss the specific content, I will note a fascinating tech parallel: the banner itself was a low-tech communication channel in a high-tech surveillance environment. It's reminiscent of how activists use physical signs to circumvent digital censorship. But from a security engineering perspective, the banner also served as a "payload" - analogous to a file that an attacker exfiltrates. The climbers' goal wasn't to damage infrastructure but to deliver a message. This shifts the security objective: it's not just about preventing access; it's about preventing use of that access for broadcasting.

One countermeasure used in high-security buildings is "defacing" - making the surface too smooth to hold tape. Or installing anti-graffiti coatings that prevent banners from adhering. But this climb used rope to tie the banner to the spire, not adhesive, and so again, an adaptive attackThe security industry often plays catch-up with physical attack methods because there are too many degrees of freedom. Only by hardening the entire envelope - not just the obvious points - can you realistically defend against asymmetric threats. This is a lesson familiar to code security: you can't just patch the bugs you know about; you have to design for every possible input.

FAQ: Empire State Building climb security and tech implications

Here are five common questions answered with a focus on engineering and technology:

  1. Q: Could drone detection have stopped the climbers?
    A: Possibly, but most buildings don't have continuous drone patrols. A stationary thermal camera could have detected body heat. But the climbers may have used insulation blankets to mask their thermal signature, and radar is more reliable but expensive
  2. Q: Did the building's IoT sensors play any role?
    A: According to CBS News, the building's fire alarm wasn't triggered, and security wasn't alerted until after the climbers were already on the spire. This suggests that no IoT vibration or door sensors activated, likely because the climbers knew how to bypass them.
  3. Q: How could AI be trained to detect future similar climbs?
    A: One approach is to use synthetic data generated from 3D scans of the building. By rendering thousands of virtual climbs under different lighting and weather, you can train a segmentation model to recognize climbing patterns. See research on physical adversarial attacks (Evading Deepfake Detection) for similar techniques.
  4. Q: Is this considered a physical zero-day vulnerability?
    A: Yes, in the sense that the specific attack vector (climbing the spire using a ladder from the roof) was unknown or unmitigated. The building's risk assessment did not include this scenario.
  5. Q: What software tools exist for building perimeter threat simulation,
    A: Tools like ANSYS Fluent (for airflow and structural analysis) or physical security assessment software like Rapid7's Metasploit can model human movement. However, a dedicated "physical threat simulator" for skyscrapers doesn't yet exist as a commercial product - a gap worth filling.

Conclusion: The next climb could be digital

The "2 people climb to top of NYC's Empire State Building, fly banner - CBS News" story is more than a viral news item it's a live demonstration that physical security, for all its IoT gadgets and AI cameras, remains vulnerable to human ingenuity. For software engineers, the parallels to cybersecurity are unmistakable: defenders think About perimeters. But attackers think About relationships and edge cases. The Empire State Building's security system had a "back door" - literally, a roof hatch - that was left unmonitored. Our code has similar back doors: unvalidated inputs, insecure direct object references, misconfigured firewalls.

As we build more intelligent buildings, we must avoid the trap of "magical thinking" - assuming that more cameras and more AI will automatically make us safer. Instead, we need to adopt a threat modeling mindset: enumerate all possible access vectors, simulate attacks in a controlled environment (maybe using VR). And continuously update our assumptions. The cost of a single successful penetration is far higher than the cost of full simulation. For building owners, the time to invest in these systems is now - before the next climber decides to use a drone, a grappling hook, or a social engineering trick to bypass your guards.

So let's learn from this. Every engineer should read the CBS News report, map the vulnerabilities to their own systems,? And ask: if a determined person or team decided to attack my infrastructure, would they succeed in 30 minutes? If the answer is yes, it's time to patch,

What do you think

Should building security systems be required by law to include external climb detection sensors,? Or would that be an overreach of regulation?

Is it ethical for engineers to study real-world physical hacks like this climb to improve security, or does it publicly expose dangerous vulnerabilities?

How would you design a machine learning model to accurately classify "person climbing building" from "bird perched on ledge" without excessive false positives?

.

Need a Custom App Built?

Let's discuss your project and bring your ideas to life.

Contact Me Today β†’

Back to Online Trends