Breaking into a data center is a lot like peeling layers off an onion. First, there is the outer perimeter, a massive shield of fences, gates, cameras, barriers, and guards, all united to deter, detect, and delay you from going any further. Getting past these defenses will require a mix of stealth, social engineering, and obtaining the right credentials.
The next layer is the building itself, an unmarked, windowless fortress with only a handful of heavily guarded entries and exits. Don't even think about trying to blow a hole into the side of one—the walls are far too thick and reinforced for even a rocket launcher to cause much damage. To get inside, you'll need an ID card, or maybe a fingerprint or eye scan. Be on the lookout for more guards, more cameras.
Then there are the man-traps. If you manage to get into the lobby, you need to pass through a high-tech turnstile that locks you in place until your identity has been verified once again, like an airport scanner with four walls and a lock.
Past the break rooms and offices, you come to the core: the data hall. In rooms like these, often cavernous warehouses, lie tens of thousands of huge screenless computer servers, stacked in racks and powered by dozens of Nvidia graphics processing units (GPUs). These interlinked servers are the physical manifestation of the cloud, where the world's information is stored, and the next game-changing AI models are trained and inferenced (the official term for running an AI model). These halls are almost always devoid of humans; the only people typically allowed inside are the technicians and engineers who install and maintain the servers—and never without a guard escorting them.
People often associate data center security with cybersecurity: software firewalls and encryption protocols protecting the world's most powerful AI systems. But just as important is a more analog level of security: the physical world of guards, gates, and guns. As data centers become the most valuable buildings on Earth, the cybersecurity industry is seeing booming, lucrative demand for this kind of physical protection, because the threat doesn't necessarily come from an anonymous hacker halfway across the world. Sometimes it can be as simple as a cellphone in the wrong place at the right time.
Not too long ago, for instance, deep within one of those lonely data halls, a cybersecurity professional noticed a worrying pattern. Five times in the space of a month, an unauthorized WiFi access point (likely a phone hotspot) named “BigSexyNetwork” suddenly appeared in the building, and connected to one specific server on one specific rack for an average of 62 minutes. “Then the BigSexyNetwork would leave, and the jilted server would call out, trying to reconnect for a little while,” explains Chris Risley, CEO of wireless airspace security vendor Bastille.
Risley says that the data center only learned of BigSexyNetwork one month after integrating Bastille's technology, which detects and locates wireless networks and devices with pinpoint accuracy.
Founded in 2014, Bastille's original focus was on working with the intelligence community to protect its data from wireless threats. While Risley says the company still protects millions of square feet for financial services companies, the intelligence community, and the Department of Defense (including a few of the nation's nuclear weapons facilities), data center security is easily the fastest-growing arm of the business. He expects that sometime next year, “all this new business coming from AI data centers is going to exceed all the business we've built up over the previous 10 years.”
According to a recent EY survey of 250 business leaders, 79 percent of organizations increased their physical security budgets between 2025 and 2026, with 40 percent of respondents saying their budgets increased by more than 10 percent and just over 3 percent reporting increases of more than 50 percent. The survey also found that these security budgets are now largely being managed by Chief Information Security Officers.
For firms specializing in the physical side of cybersecurity, the AI data center boom is a perfect storm of demand. Companies can't construct these facilities fast enough, and the physical and digital content inside is becoming ever more valuable. As Risley puts it, some of these AI data centers contain “roughly the value of Fort Knox, but without the benefit of an Army garrison next door.” When you put all that value in one central location, he says, what happens next is simply inevitable: People are going to try to steal it.
While the likeliest and most capable perpetrators of data center theft, Risley says, are rival countries (he's confident that nation states have stolen important information from data centers already), it isn't just foreign superspies that have hyperscalers and colocators spooked; it's also everyday Americans who are being radicalized against data centers in real time.
In the United States, there are currently more than 3,000 operational data centers, and another 1,500 are in some level of development, according to the Pew Research Center. These planned data centers will be much larger on average, and 67 percent will be located in rural areas. Today, according to Pew, only 13 percent of data centers are in rural areas.
Most data centers are either fully owned and operated by “hyperscaler” companies such as Google, Meta, OpenAI, Microsoft, Anthropic, and Nvidia (all of whom declined to comment for this article), or by independent AI cloud providers and colocation operators such as CoreWeave and Digital Realty. These firms essentially act as landlords, renting out portions of their facilities and computing power to tenants.
Hyperscalers and colocators alike are running nationwide charm campaigns to convince government officials and communities to approve massive, landscape-changing infrastructure projects. The data center owners say these builds result in an explosion of jobs, tax revenue, and economic growth for the communities. Many struggling townships have been happy to approve the developments.
But while data centers can be a powerful source of fresh revenue for rural communities, their construction and operation can also strain local power systems, cause pollution, and disrupt water supply. They're also a constant headache for those who live nearby. Servers heat up as they work, and can melt down unless they're constantly kept cool. Many data centers use massive rooftop HVAC systems and fans to keep these servers cool, which can produce an incredibly loud humming sound audible from hundreds of feet away.
Local opposition to new data center projects is intense. According to a new Gallup poll, 71 percent of Americans oppose the construction of AI data centers in their communities, with 41 percent strongly opposing local builds. Residents of Boxtown, the south Memphis neighborhood where Elon Musk's Colossus data center is located, have protested Musk's plans to construct additional gas-powered turbines due to their potential to pollute the already-bad local air quality.
Some angry community members are even taking matters into their own hands. In early April, an unknown assailant fired 13 shots into the front door of Indianapolis City Councilman Ron Gibson's house after Gibson openly supported efforts to rezone part of his district in order to build a new data center. The shooter, who still hasn't been identified, left a handwritten note on Gibson's porch that read “No data centers.” But Gibson was undeterred, telling NBC News in a statement that the data center was a “done deal.”
“Data centers, because they're physical, have become the locus of public anxiety about AI,” says Nathaniel Rich, author of the upcoming novel Cloudthief, which features a daring heist on a rural data center. “You can't attack your browser,” he points out, “but you can go to where they're building a giant facility that's polluting your community, and you can attack that.”
Wesley Cummins is the CEO, Chairman and cofounder of data center company Applied Digital. He founded the company in 2021 as Applied Blockchain, initially focusing on cryptocurrency mining, but it changed its name to its current name in September 2022 when the company pivoted to “high-performance compute.”
Cummins downplays the negative effects that data centers have on communities, arguing that many people are being fed misinformation through “these 20 or 30-second video clips on Instagram or TikTok or Facebook that don't really deal in reality.” But he won't go where he isn't wanted, adding that Applied Digital recently pulled out of a project in South Dakota “because they just didn't really want us there.” Cummins adds that “there's just a certain group of people in the world that just love to be angry about something,” he says. “And so this is the thing for the moment.”
Cummins, 48, has projects in development all around the country, but there's a special place in his heart for Polaris Forge 1: a massive campus of three data center buildings in Ellendale, North Dakota, a small town of just over 1,000 people. When completed, Polaris will boast a computing capacity of 400 megawatts, roughly the power required to power every household in the state. In October, Applied Digital announced it had signed a deal with CoreWeave to lease the entire Polaris Forge 1 campus for 15 years at a $11 billion value.
As his company has shifted from the comparatively low-risk world of crypto into the extremely hot AI ecosystem, Cummins says that one of Applied Digital's biggest and fastest-growing expenses is physical security, which is “getting much more sophisticated.”
Those security personnel aren't usually Applied Digital employees, though. Cummins says it's a liability issue. “You always want to outsource security from that physical perspective,” he adds. “A lot of the protocols and equipment are our own, but the staffing is typically done by a third party.” Cummins has even recently held meetings with companies selling AI-powered robotic guard dogs, which can patrol data halls autonomously, though Applied Digital told Inc. that in the context of the pitches it received, the company is not currently considering hiring a robot dog.
The clients that Cummins serves have highly specific security requirements. CoreWeave, for instance, requires all of its data centers to use biometric and card-scanning doors to keep employees quarantined to approved areas, cages and walls around servers to prevent tenants from interacting with each other, and to be protected by security personnel year-round. The more valuable the onion, the more layers it takes to reach the core.
You might imagine that the key target for theft would be GPUs—at up to $30,000 apiece, Nvidia's H100 GPUs are among the most expensive pieces of consumer electronics ever made, and a single server rack can hold dozens of them. It's a tempting target. But seasoned security professionals will tell you the servers are almost beside the point. GPU heists have largely failed to materialize, perhaps because the few people with the skills to disassemble and reassemble them already make a good living doing it legitimately.
It's also impractical. For one, Cummins says, AI servers are tightly packed in massive racks, which are very heavy and difficult to move. Like Bastille CEO Risley, he makes the comparison to the infamous United States Bullion Depository: “If you were robbing something from Fort Knox, it's hard enough to actually move gold bars, but to take things that are as heavy as [server racks] out of a data center and resell them on the black market,” he says, is just impractical.
What really keeps data center owners and companies like OpenAI and Anthropic up at night isn't their GPUs getting stolen, but rather IP theft. Their crown jewels are model weights — the trained parameters that make today's neural networks possible, stored on drives and loaded into GPU memory inside server racks at the data center.
You can think of model weights as the secret formula for perfectly tuning AIs like ChatGPT and Claude; if a well-resourced bad actor obtained the weights for a super-advanced model, such as Anthropic's Claude Mythos, they could spin up a clone unbound by laws or morality. A successful break-in may not be enough to copy the model outright, but it could let an attacker plant a device, tamper with hardware, or create a new path for later exfiltration.
In an interview with Lightspeed Venture Partners, Anthropic chief information security officer Vitaly Gudanets said that “the risk of losing those model weights, or model weights being stolen, is really high,” and not just as a piece of IP for the company. “The powerful models, in the wrong hands, will have a significant societal impact,” he said. “There's national security considerations we have to worry about.”
In his essay “The Adolescence of Technology,” Anthropic CEO Dario Amodei wrote that super-intelligent AI could help autocratic governments develop killer robots and bioweapons, and cautioned that if such technology was owned and controlled by a single country's military apparatus, it would be near-impossible for other countries to defend themselves. The rest of the world “would be outsmarted at every turn,” he wrote, “similar to a war between humans and mice.”
Preventing attackers from reaching these weights and the vast reserves of data that AI models process daily is partly the responsibility of physical guards and physical security technology vendors like Bastille and Verkada, which specialize in AI-powered cameras and physical access control software. One potential attack vector that's currently worrying AI security pros, according to Risley, is discreet audio bugs. A tiny microphone hidden in the cafeteria might not pick up any talk of passwords, he says, but it can give hackers the personal information they need to cook up a believable phishing scam.
Risley says that data centers are now cracking down on electronic devices like mobile phones because of their potential to be contaminated with spyware. Not only can spyware read the entire contents of your phone, secretly activate your microphone, and even remotely turn your phone on and off, Risley says, it can also “probe anything that you've got a radio for in your phone.”
All smartphones have radios for connecting to cellular networks, Wi-Fi, Bluetooth, GPS, and more. Through wireless communication, attackers don't even need to be in a restricted area to steal data off the server, as evidenced by the BigSexyNetwork incident. They just need physical proximity and a compromised system. In some data centers, Risley says, “the rule is no freaking phones in our facility,” but he knows of at least one hyperscaler that has a “pretty liberal policy about phones, believing that the employees in there, doing pretty boring jobs, need to also be able to listen to podcasts, classical music, or whatever.”
Another way data centers are strengthening their defenses is by hiring security consulting firms to stress-test their safeguards. John Bekisz, vice president of data center and critical infrastructure at international security consultancy Guidepost Solutions, says he is currently providing his services to seven top hyperscalers, along with colocators and a growing number of real estate investment firms, many of whom are building data centers before securing tenants to use them.
Data centers hire companies like Guidepost to peel back each layer of their facilities in order to poke and prod for blind spots and weaknesses. Often this means investigating a planned center's blueprints or reviewing their security documentation, but sometimes, Bekisz says, the best way to identify security gaps is to put yourself in the criminal's shoes and try your hand at breaking in.
This process of staging physical intrusions on facilities is called penetration testing, or physical red teaming. These attacks don't happen at random, Bekisz says; they're highly coordinated ahead of time to ensure that nobody gets hurt.
“A lot of it is testing those perimeter entry points, testing those systems and the operational response,” he explains. Sometimes his team attempts to trick guards and employees by using social engineering tactics (like earning trust through fabricated urgency and authority, or slipping through a locked door by tailgating someone with credentials) to gain access to restricted areas. The old adage of being able to get in anywhere with a hard hat and a vest is “painfully true,” he admits.
And you don't even need a hard hat if you have a badge. In an effort to ingratiate themselves with locals, many data center providers make promises to hire from their local communities, but this could also increase the risk of hiring a saboteur. Since most data centers contract out their guard services to dedicated firms like Securitas, they have to trust that these partners will conduct thorough background checks to root out applicants with anti-data center sentiments.
According to documents obtained by Wired, federal agencies are warning of rising “anti-tech violent extremist activity” online. One document, from the government-affiliated Northern Virginia Regional Intelligence Center, warned that violent extremists “have engaged in pre-operational planning targeting data centers and other critical infrastructure facilities to disrupt government operations.”
As opposition and threats to data centers continue to grow in scale, a new idea is taking shape: If the public won't tolerate data centers on Earth, maybe the next-best option is to shoot them into space.
Not too long ago, the idea of orbital data centers was considered a joke. But in May, Anthropic said that it had “expressed interest in partnering with SpaceX to develop multiple gigawatts of orbital AI compute capacity,” and The Wall Street Journal reported that Google was in talks with SpaceX and other companies for orbital data center services.
These orbital data centers would work by interlinking several, potentially even hundreds of thousands, of server-filled satellites, rather than building and maintaining a singular massive space station. They'd be closer in shape to the satellite that beams TV into your living room than anything a person could walk around inside. Instead, these satellites would feature enormous solar arrays to constantly harness the sun's energy (the sun never sets in space), and sealed pods crammed with servers and flooded with coolant.
It's not hard to see the appeal. On Earth, tech titans are fighting communities for every acre of land, every watt of electricity, and every gallon of water, and are experiencing enormous backlash for it. In space, no one has to hear your data center scream.
In an S-1 filing, SpaceX wrote that it expects to begin deploying AI data center satellites in space “as early as 2028.” Because these satellites wouldn't have to worry about impact on local communities, their potential size is virtually limitless. Starcloud, another orbital data center startup, said in its white paper that these satellites “can be scaled almost indefinitely without the physical or permitting constraints faced on Earth.” Axiom Space, a startup that earlier this year launched two data center nodes into low-Earth orbit, says on its website that its proposed orbital data centers would have “unmatched security,” due to its “physically isolated infrastructure.”
It's true that orbital data centers would certainly be harder for everyday people to infiltrate than terrestrial ones, but as planned, they would likely be far more exposed while operating under an unproven playbook. Nearly every tenet of the data center security apparatus, meant to deter, detect, and delay intruders, just doesn't apply up there: You can't build a wall in space, and you can't put a solar array behind a man-trap.
Risley says that it's only a matter of time before a major data center suffers a well-publicized security breach, which means the clock is ticking for AI companies to find a way to secure their massively important assets, either by burying them deep at the core of the onion and finding a way to coexist with us on Earth, or by stripping back the onion's layers and throwing the core into the infinite expanse, where no one on Earth can reach it.
Read on Inc.com →