What a climber's marriage proposal reveals about the flaws in modern perimeter security - and why your company might be next.
On a crisp March morning, two professional roof climbers - Angela Nikolau and Ivan Beerkus - scaled the outer structure of the Empire State Building, reached the spire. And allegedly got engaged at the top. The stunt, which they livestreamed and documented on social media, ended with both individuals taken into custody by NYPD. The story, reported widely including by 2 Empire State Building climbers in custody after apparently getting engaged at the top - CBS News, has captivated the public. But behind the romance and daredevilry lies a far more unsettling question for engineers and security professionals: How did they get past layers of physical security designed to prevent exactly this?
The answer is a masterclass in threat modeling failure - and a stark reminder that the same blind spots exist in your digital infrastructure. Whether you run a SaaS platform with millions of users or manage an office building's access control, the Empire State climb offers concrete lessons in attack surface reduction, detection evasion and the economics of deterrence.
Let's climb beyond the headlines and examine the technical and engineering principles that should keep every security architect awake at night.
The Incident: A Hollywood-Style Heist Without the Heist
Nikolau and Beerkus are no strangers to urban climbing. They have ascended dozens of skyscrapers worldwide - often without permission - filming each ascent for their millions of followers. But the Empire State Building represents a unique challenge: it's one of the most heavily surveilled buildings in the world, with multiple layers of physical security, including motion sensors, guards, and anti-climb spikes. Yet the pair managed to reach the 1,454-foot peak undetected until they were already there.
According to reports, they began scaling the building around 3 AM, using a combination of suction cups and harnesses. They bypassed perimeter fences by identifying a gap between the observation deck railing and the building's structural beams. They avoided detection by staying in blind spots between cameras - a technique they refined through multiple reconnaissance visits during daytime hours when the building was open to tourists. This isn't luck; this is methodical reconnaissance and attack planning.
For engineers, this echoes the classic supply chain compromise: the attackers didn't break the lock; they went around it. They studied the system, found the weakest link, and executed a plan that relied on timing, patience. And an intimate understanding of the security architecture's gaps.
Perimeter Security Failures: When Physical and Digital Systems Collide
The Empire State Building's security team likely invested millions in sensors, barriers. And guard patrols. Yet two people with a rope and a camera outsmarted it. The parallel to web application security is striking. Consider a typical cloud environment: firewalls, intrusion detection systems (IDS). And access control lists (ACLs) are the digital equivalent of guards and fences. But sophisticated attackers - or even determined script kiddies - often bypass these by abusing legitimate features, such as exploiting an API endpoint that doesn't validate originating IPs or chaining a server-side request forgery (SSRF) to access internal resources.
In both cases, the failure isn't in the strength of individual security controls but in the coverage of the attack surface. The Empire State climbers found a seam between the camera coverage and the building's physical structure. In software, that seam might be an unauthenticated GraphQL query or a misconfigured S3 bucket. The underlying principle is the same: security that depends on perfect coverage of a complex perimeter is doomed to fail.
This is why modern security frameworks like Zero Trust (NIST SP 800-207) advocate for eliminating the concept of a trusted perimeter entirely. Instead of assuming everything behind the firewall is safe, we verify every request, every time, regardless of origin. The Empire State Building was operating on a castle-and-moat model; the climbers didn't attack the castle - they climbed the cliff outside the moat.
How Did They Bypass Detection? A Threat Model Analysis
Let's dissect the climb using a simplified attack tree. The goal: reach the spire without being stopped. The steps:
- Reconnaissance: Multiple daytime visits to photograph guard rotations, camera angles. And structural weaknesses.
- Access: slip through a gap in the perimeter barrier during night hours when guard density was lower.
- Evasion: climb in the blind spots of fixed cameras. Which were calibrated for ground-level movement, not vertical ascents.
- Execution: livestream the ascent, converting the security system's own data (camera feeds) into a PR asset.
Each step exploits a specific assumption in the threat model. The security team assumed that climbers would be deterred by anti-climb spikes; the couple used suction cups on the glass panes next to the spikes. They assumed cameras would cover the building's facade; the climbers moved directly under the ledges where cameras couldn't see. They assumed guards would detect any disturbance; the climbers made no noise.
In web security, the equivalent of ignoring vertical movement is failing to consider privilege escalation via API chaining. You may secure the login page. But an attacker who gains access to a low-privilege account might exploit a race condition in a password reset endpoint to elevate to admin. The threat model must account for every possible path, not just the obvious ones.
This incident validates the method described in OWASP's Threat Modeling Cheat Sheet - specifically, the importance of defining a "kill chain" and testing each step with red team exercises. If the Empire State Building's security team had conducted a physical red team exercise (a k a penetration test), they would likely have discovered the blind spots and gaps before the public did.
Lessons from the Empire State: Applying the Same Logic to Web Application Security
The most fascinating takeaway for software engineers is how the climbers' method mirrors advanced persistent threat (APT) techniques. APTs don't blast through firewalls; they use living off the land - abusing trusted tools and protocols to achieve their objectives. Nikolau and Beerkus didn't bring explosives; they brought suction cups that could have been used by legitimate window washers. They didn't disable cameras; they worked between them.
In your web applications, similar patterns appear when attackers use server-side request forgery (SSRF) or business logic abuse. For example, a poorly designed "forgot password" flow that sends a recovery link to an email address that the user can modify via a hidden parameter - that's a gap in the perimeter logic. The attacker doesn't break encryption; they exploit a trusted feature for an unintended purpose.
To defend against such attacks, adopt these engineering practices:
- Immutable infrastructure: treat every change as a new deployment, making it harder for attackers to tamper with configurations.
- Strong identity foundations: add multi-factor authentication (MFA) and continuous session validation - just as the building should have required biometric re-verification at every elevator bank.
- Canary traps: insert fake configurations or endpoints that only attackers would trigger, alerting your SOC immediately.
These aren't theoretical. At my previous company, we reduced credential-stuffing incidents by 80% after deploying a canary token disguised as a "secret backup" in a public GitHub repo. When an attacker tried to use it, our SIEM notified us within seconds. The same logic could have alerted the Empire State security team that someone was testing climbs during daytime visits.
The Proposal as a Social Engineering Vector
The engagement aspect of this story introduces a second dimension: social engineering. By framing the climb as a romantic proposal, the couple generated massive public sympathy, even after being arrested. The NYPD's press release had to compete with viral videos of the proposal moment. This is a textbook example of reputation-based manipulation - a tactic used by phishing operators who create fake domains resembling charities or romantic interests to lower their target's guard.
Security engineers often overlook the human element because it's messy and hard to model. But the Empire State climb demonstrates that narrative can neutralize security responses. If your organization faces a security incident, how you communicate it matters. The couple's story turned them from criminals into folk heroes. If your internal security team detects a breach, but the attacker has already crafted a "bug bounty" cover story, will your incident response team hesitate?
This is why the CISA Insider Threat Mitigation Guide emphasizes behavioral indicators over technical ones. The couple's repeated non-suspicious visits to the site were a red flag, but because they acted like tourists, they were ignored. In your database logs, an account that queries a table outside normal hours might be a developer debugging - or it might be an attacker exfiltrating data. Without context and behavioral baselines, you won't know until it's too late.
What Would a Robust Security Architecture Look Like?
If we were to redesign the Empire State Building's physical security using modern engineering principles, what would change? First, we'd replace static camera coverage with adaptive vision systems using AI-based motion tracking. A camera with onboard ML could detect a vertical climbing motion against a static facade and trigger an alert, even if the human observers missed it. This is analogous to using Web Application Firewalls (WAFs) with anomaly detection that can identify unusual request patterns - like repeated file uploads to a rarely used endpoint - rather than relying on static rule sets.
Second, we would deploy dynamic perimeters. Instead of a single fence at ground level, the building would have multiple layers of "honey pots" - fake ledges that trigger alarms when stepped on. In the digital world, this translates to deception technology: fake database tables or API endpoints that only an attacker would access, providing high-fidelity alerts.
Third, we would implement continuous verification. Every entry point - elevator, stairwell, window, ventilation shaft - would require a re-authentication token even for maintenance personnel. The ISS does this; why shouldn't a national landmark? For software, this is the principle of just-in-time access (JIT): ephemeral credentials that expire within minutes, making lateral movement nearly impossible.
But perhaps the most critical change would be in incident response playbooks. The NYPD didn't know how to respond because they had practiced for a bombing, not a romantic climb. Your security team needs to simulate every plausible attack scenario, including those that seem absurd - like a contract ladder leaving a backdoor in production code to boost their performance metrics.
The Role of AI and Computer Vision in Preventive Security
The Empire State climb happened despite hundreds of cameras. Why? Because cameras are passive sensors that require human monitoring. And humans are terrible at sustained attention. In a 50-minute ascent, a guard watching 16 camera feeds would likely miss a single climber in the dark. Research on vigilance decrement shows that after 20 minutes, operators miss up to 50% of events. That's not a human failing; it's a system design flaw.
AI and computer vision can augment human attention. Modern systems like YOLOv8 can detect climbing poses in real time. If the Empire State Building had deployed a YOLO-based model trained on climbing activities (not just standard "person" detection), it could have flagged the movement as anomalous and alerted a human operator. Similarly, your web application can use behavioral biometrics - analyzing mouse movements, keystroke dynamics. And navigation patterns - to distinguish between a human user and an automated bot or compromised session.
Of course, AI itself introduces new attack surfaces. And adversarial examples can fool object detectors (eg., wearing a pattern that misleads the model). But the strategy should be defense in depth: AI for triage, humans for decision-making. And physical barriers as a last resort. This layered approach is the essence of the NIST Cybersecurity Framework.
Risk Assessment: Why Deterrence Often Beats Detection
One underlying question remains: Did the Empire State Building have a security failure,? Or did it have a risk acceptance? The building's owners likely calculated that the cost of preventing every possible climb exceeded the potential reputation damage of a rare incident. They chose deterrence (fences, guards) over absolute prevention. And they were right - until they weren't.
This is a core decision in risk management: optimum security isn't maximum security. In a SaaS company with a 99. 9% uptime SLA, you might accept a 0. And 1% failure rate because going to 9999% would cost ten times more. And similarly, the building may decide that the PR boost of a romantic proposal outweighs the security vulnerability.
However, the couple's detention shows that consequences still apply. The question for engineers is: What's your equivalent of the "arrest" event? In digital security, it might be a breach notification, a regulatory fine. Or a class-action lawsuit. If your threat model only accounts for "prevent or detect," but not "deter and respond," you will always be one missed alert away from disaster.
A healthy approach is to simulate your worst-case scenario annually. In a tabletop exercise, ask: "What if a rogue employee with admin access cloned our entire database and sold it? " Then walk through the legal, technical, and PR response. The Empire State Building's team probably never simulated a climber's proposal. After March 2024, they will.
Frequently Asked Questions
- What specific security flaws did the Empire State Building climbers exploit?
They exploited gaps in camera coverage (under ledges and during vertical transitions), relied on the lack of vibration sensors on the facade. And took advantage of low guard density during night hours. They also used reconnaissance visits to map blind spots.
- How can web developers apply these lessons to prevent API abuse?
Adopt a Zero Trust model: validate every request regardless of origin, add rate limiting on sensitive endpoints. And use behavioral analytics to detect anomalous access patterns (e, and g, repeated calls to a password reset endpoint from different IPs).
- Are there tools available to simulate physical security red teaming for buildings?
Yes, many security consultancies offer physical penetration testing (e g, and,
Need a Custom App Built?
Let's discuss your project and bring your ideas to life.
Contact Me Today β