A couple of years ago, one of our clients made an investment. They bought 51% of a movie studio (sorry, we can't say which one). About 6 months after the money changed hands, our client managed to partner with Sony, who then showed interest in acquiring the company for well north of $100m.
The only issue was that the founders had decided that they were in a good position to get more money--after all, they still had the intellectual property including the passwords and the servers doing the rendering were under their control.
On a Sunday night, we got a call asking if we could pay the company a visit in LA to survey the assets. We went down on Monday, and got the lay of the land. On Tuesday, we went back, and did risk management survey.
On Wednesday, we reviewed the articles of incorporation, confirmed the ownership of the company with the CFO, talked to the board, put indemnification and release of liability agreements in place, and agreed on a course of action.
On Thursday night at 8pm, we had dinner then walked to the police station (a block away). We let them know that we'd be working on their security systems ("don't worry if you hear the alarms briefly as we'll be testing."). At 10pm, the CFO let us into the building, and we began the process of taking over the company.
We started with the video surveillance system. We took a picture of the server room from the camera's perspective, then we put the jpeg of the room on a laptop and duct-taped the laptop in front of the camera, so the camera was broadcasting the still of the room back to the founder's house. At this point, we could work without being watched.
Next we moved to the firewall, the routers, and the switches. We exploited unpatched vulnerabilities in each. Within an hour, we had compromised them all. (Knowing the brand of firewall and router on Tuesday had helped speed this process.) By midnight, we had control of all of the network equipment, but we did not yet own any of the servers.
We had earlier managed to compromise the receptionist's workstation, then used a brute force attack to gain elevated access to the servers. Once we had that, it took us about 3 1/2 hours (and a little social engineering) to get the domain administrator password (without rebooting any of the rendering servers, as they were earning $1m/day). By 3:30am, we had control of almost everything.
At about 4am, we secured the servers and network devices at their subsidiary in Germany (which was a little tricky as the Germans were already at work).
Finally, we took over their security and card access systems. For good measure, we also secured the fire suppression system and the garage door system. We finished up at about 5:15am.
When the first founder (CEO) showed up about an hour later, we walked him into a conference room where the board was waiting to talk to him. The second founder (CTO) was terminated on the spot. The CEO realized that he had overplayed his hand, and apologized, and agreed to play by the rules. The company has done very well since that time.
Like all of our clients, the board was extremely pleased with the outcome.