In this article
When Super Bowl LX lands at Levi’s Stadium on February 8, the spotlight will be on the field. But behind the scenes, thousands of security professionals will be at work ensuring the night is remembered for the game, not an incident.
With the U.S. entering a run of high-profile events from the FIFA World Cup this summer to the 2028 Olympics in Los Angeles, having fast and effective stadium security will be more important than ever. While security technology is advancing rapidly, the range of threats events face continues to grow.
Stadiums are complex ecosystems
Stadiums have always presented a demanding risk profile: high visibility, dense crowds, complex logistics, and a constant need to balance safety with fan experience. There have been numerous examples of over-excited fans finding their way into lockerrooms or other off-limits areas over the years. But stadiums also present attractive targets for more malicious actors.
Modern venues run on tightly integrated systems. Ticketing, identity and credentialing, point-of-sale, building management, broadcast and production infrastructure, vendor access, and back-of-house operations, all moving at game-day speed.
In recent years, cyberattackers have targeted the live-events ecosystem, including ticketing platforms holding massive volumes of consumer and event data. For example, reports around a Ticketmaster-related incident described attackers leaking ticket barcode data as part of an extortion attempt and referenced exposure of customer information at large scale.
The era of AI is creating new threats
Many organizations still carry an implicit assumption: if someone looks right, sounds right, and presents the right credential, they’re probably legitimate. AI has broken that assumption.
Bad actors can now easily create highly realistic deepfake videos, photos and voice recordings to impersonate almost anyone they want. These have already been used in at least one multi-million-dollar scam.
Now translate that to game-operations, where there are thousands of vendors, media, fans, VIPs and guests.
- Executive and athlete impersonation: Synthetic voice or video designed to authorize urgent credential changes, payments, or access restricted areas.
- False identities: Fake vendor, contractor, or “media” profiles intended to exploit credentialing workflows.
- Social engineering: Highly tailored spoof messages to pressure staff into “just this once” decisions.
None of this requires a Hollywood-style operation anymore. It just requires an attacker with time and intent.
A unified security playbook for stadium operators
I believe that stadium operators should prioritize three factors in optimizing their security:
- Make doors identity-aware and segment physical access like you segment networks
Treat critical spaces (network rooms, broadcast infrastructure, security operations, credential printing, cash handling, sensitive storage) as “crown jewels.” Apply tighter policy, stronger authentication, and more rigorous logging. - Train for modern deception, not yesterday’s threats
Expand awareness beyond phishing to include deepfake and voice spoofing cues, in-person social engineering, and “pressure-tested” processes for urgent requests, especially in credentialing, front office operations, and vendor management. - Verify through stress-testing
Run red-team exercises that combine physical intrusion objectives with cyber outcomes (for example: “gain access to a network closet” or “obtain a credential issuance exception”) because that is how real adversaries think: end-to-end, cross-domain, and opportunistic.
Ensuring stadiums are ready with security to address evolving threats will keep the focus where it belongs at a sports event: on the field.
