My background is security operations and threat hunting in enterprise and government environments. I spend most of my professional time thinking about endpoint telemetry, identity attacks, and cloud IR. Drones have not historically been part of that picture.

That’s changing, and faster than most enterprise security teams are paying attention to.

I recently completed the Drone Security Fundamentals course from DroneSec, an Australian firm that has built one of the most focused bodies of knowledge on UAV security available anywhere. The course is designed for security professionals who need to understand the threat landscape around drones — practitioners who may encounter drones as an attack vector, an ISR platform, or a forensic evidence source in their operational environment or as part of their duties responding to events working in the critical infrastructure sector.

The framing that anchors the entire course is that a drone is a computer. It runs an embedded Linux-based operating system, it communicates over IP networks, it connects to vendor cloud infrastructure, and it is vulnerable to the same classes of attack that any networked endpoint is vulnerable to. If you are in InfoSec and have any interest in drones I highly recommend this company for their training. This blog post is a culmination of my most relevant notes, but in no way covers the entire course.

---

The Threat Landscape Is Broader Than Most Teams Model

DroneSec organizes threats into two categories that are more useful than the physical versus digital split most people default to.

Indirect threats are scenarios where the drone is not itself the weapon but rather a force multiplier for another operation. The primary indirect use case is Intelligence, Surveillance, and Reconnaissance (ISR). A drone gives an adversary real-time, high-fidelity aerial imagery of a facility, perimeter, personnel patterns, and physical security controls at a cost of a few hundred dollars and a skill barrier that is effectively zero. Satellite imagery and Google Maps are static. A drone delivering live video of your loading dock, server room cooling infrastructure, or generator placement is not. The Christchurch case study in the course is instructive: forensic analysis of the attacker’s seized drone found pre-attack surveillance footage of the target and surrounding area. The drone wasn’t used in the attack. It was used in the planning of it.

Direct threats are the weaponized use cases: explosive payloads, electronic warfare, signal interception. ISIS maintained dedicated training programs for drone modification and payload deployment. Cartels use modified DJI Matrice and Inspire platforms, capable of carrying kilograms of payload, with custom out-of-band electronic triggers for remote detonation. The US Army’s Counter-UAS doctrine (ATP 3-01.81) captures the severity of the problem plainly: if a UAS is observed over your position, you are already compromised.

For most enterprise security practitioners, the relevant threat tier is the indirect one. Physical payload attacks are primarily a military and critical infrastructure concern. ISR via drone is a realistic threat for any facility with an external adversary motivated to conduct pre-attack reconnaissance: financial institutions, data centers, government facilities, and any site with physical security that an attacker would benefit from understanding before attempting access.

---

The Drone Stack Looks Familiar to InfoSec Practitioners

The cyber-UAV section of the course is where the material becomes most immediately relevant for IR practitioners, because the architecture is recognizable.

A standard commercial drone system operates on its own IPv4 network. The controller is effectively a router. The drone is an endpoint running embedded Linux. The companion application on the operator’s mobile device connects via USB, Bluetooth, or Wi-Fi and communicates with vendor cloud infrastructure over 4G/LTE, sending location data, hardware identifiers, flight telemetry, NFZ codes, and profile information to vendor servers. DroneSec’s comparison is direct and accurate: a single drone is analogous to a desktop PC; a UAS traffic management system is analogous to an enterprise network; a counter-drone system is analogous to an antivirus platform.

The attack surface maps accordingly. Hardcoded SSH, FTP, and Telnet credentials on the drone’s Linux environment. Default or weak WPA2 passwords on the controller’s Wi-Fi network. Vendor server access exposing user flight records, purchased media, and in some cases flight controls for autonomous systems. Below are a few of the cyber threat vectors I was able to wargame through for drones, noting that there is a large overlap with satellite threat vectors and some prior experience I was able to call upon.

The attack chain for a Wi-Fi-based drone is a straightforward network attack: scan for drone MAC addresses in the air, connect to the drone’s wireless network, authenticate to the drone’s Linux OS via Telnet or SSH, use IPTables to block the legitimate operator’s IP and whitelist your own, hijack the video stream, port controls to your system, and fly the asset away. That sequence would be recognizable to any penetration tester who has done wireless assessments. The novelty is that the computer can now fly.

---

Threat Modeling for Drone Risk Is Different From Traditional InfoSec

The course dedicates significant coverage to threat modeling for drone environments, and the framework it introduces is worth carrying into your own programs if drones are part of your threat surface.

DroneSec’s UAS threat actor taxonomy classifies adversaries across three tiers: Trivial (hobbyist, local disruptor, basic tools, budget under $3,000), Informed (hacktivists, organized criminal groups, SDR tooling, budget under $20,000), and Sophisticated (nation states, APTs, GPS jammers and spoofers, 0-day protocol exploits, effectively unlimited budget). The parameters for each tier cover skill level, work hours available, equipment, drone capacity, operational presence, and total cost.

This structure is more operationally useful than the generic APT/criminal/insider taxonomy most enterprise threat models use because it accounts for the physical capabilities and operating range of the threat actor, not just their technical sophistication. This is a great starting point to map your organization’s threat model around with regards to UAVs.

---

Counter-Drone Is Mostly Illegal for Private Organizations

One of the most practically important sections of the course covers counter-drone technology and its legal constraints, and the conclusion is straightforward: most countermeasures that would actually stop a drone are illegal for private organizations in most jurisdictions.

Detection is broadly permissible. RF detection, optical recognition, radar, and acoustic sensors can be deployed to identify and track drone activity without running into the legal restrictions that surround mitigation. Detection is useful for documenting the threat, alerting security teams to operator locations, and enabling SOC procedures without taking active countermeasures that would constitute interference with an aircraft.

Mitigation is where the legal constraints become prohibitive. RF and GPS jamming, protocol spoofing, network hijacking, and kinetic countermeasures are all regulated as actions against aircraft in most jurisdictions. The regulatory reality is that a private security team observing a drone conducting ISR over their facility has very limited legal options for stopping it beyond contacting law enforcement, even if the drone is clearly operating maliciously.

Wrap-Up

The practical implication is that if drones are a concern for your organization, your physical security posture needs to account for the ISR threat without assuming active countermeasures are available. The link to incident response ties back to physical security incident response plans. What do you do? When do you take the action? Who takes the action? Detection capability and an SOP for escalation to law enforcement is the realistic framework for most private organizations.

Interpol has a great framework resource for responding to a drone incident that I recommend reviewing alongside the FAA guidance. “Drone incident response involves immediately detecting, identifying, and mitigating unauthorized or dangerous drone activity. Key actions include documenting details, locating the operator, and reporting to authorities like the FAA. Effective responses require pre-defined protocols, situational awareness, and secure evidence collection.”

Though, if you are able to retrieve the drone in question, consider what data can be obtained from forensics — and ensure that if you face a realistic threat of kinetic and emerging threats that you work with your local FBI Field Office and Infragard chapter to prepare in advance. This ties back into the earlier post regarding Incident Response Planning.

More drone posts coming soon. I’ll be taking their Drone Security Regulations, and Drone SecOps: Offense and Defense courses in the coming days.