Honeybadger Solutions LLC

Denver Cannabis Security & Colorado MED Compliance

Cutaway concept of a Denver cannabis dispensary with secured zones and camera sightlines and a faint Rocky Mountain skyline in navy and gold

Cannabis security in Denver is a two-layer compliance-and-defense program: it must satisfy Colorado Marijuana Enforcement Division (MED) rules — continuous video with a minimum 40-day retention, badge-controlled limited-access areas, monitored alarms, commercial-grade locks, and METRC seed-to-sale tracking — and Denver’s own local licensing conditions, while defeating the armed-robbery, burglary, and diversion threats that follow a dense, cash-intensive market. A lapse in either layer can cost the license outright.

Denver operates one of the oldest and most concentrated regulated cannabis markets in the country, and with that maturity comes scrutiny. A Denver dispensary or cultivation site answers to two regulators at once — the Colorado MED at the state level and the Denver Department of Excise and Licenses locally — and to a criminal threat environment that treats cannabis retailers as walking safes. This guide is written for Colorado operators, multi-state operator (MSO) security directors expanding into the Front Range, and the general counsel and compliance officers who carry the license risk. It explains what Colorado and Denver actually require, why the cash problem is acute here, how elite operators defeat robbery and diversion, and what distinguishes a store that merely clears a MED inspection from one that actually keeps its people, its product, and its two licenses safe.

What makes Denver cannabis security different from other markets?

Three Denver-specific realities shape the problem. First is density and maturity: the metro is saturated with licensed retailers, cultivations, and — since Colorado authorized marijuana hospitality — consumption venues, which means a high concentration of cash-and-product targets competing in a well-policed but heavily surveilled regulatory field. Second is the dual-jurisdiction burden: unlike operators in states with a single regulator, a Denver business needs both a state MED license and a Denver local license, and the local layer carries its own conditions, zoning limits, and inspection regime. Third is the threat pattern the Front Range has actually experienced — the Denver and Aurora area has seen repeated after-hours burglaries and violent, sometimes fatal, armed robberies of cannabis premises, a history that makes robbery and burglary hardening a life-safety issue, not a checkbox.

The through-line is that in Colorado, security and compliance are the same discipline. A camera outage is not just a blind spot; under MED rules it is a reportable deficiency. An unsecured safe is not only a burglary risk; it can breach the regulation that keeps the doors open. World-class Denver operators therefore treat the MED and Denver minimums as a floor to build on, never a ceiling — designing for two adversaries simultaneously, the criminal they must defeat and the regulator they must satisfy.

What does Colorado’s MED actually require for security?

The Colorado Marijuana Enforcement Division, part of the Colorado Department of Revenue, sets the statewide security rules every licensed premises must satisfy to hold a license. Those specifics run deep and shift from time to time, so operators should always check the MED rule text in force, yet the core categories stay steady across both retail and cultivation:

  • Video surveillance: continuous recording of limited-access areas, points of sale, entrances and exits, and the exterior, at a defined minimum resolution and frame rate, with cameras positioned to identify people and activity and to leave no unmonitored gaps over regulated areas.
  • Recording retention: footage kept for at least 40 days on a locked-down, access-controlled recorder and handed to the MED or local authority whenever it is requested.
  • Limited Access Areas (LAAs): back-of-house zones where product and cash are handled must be restricted to individuals holding a valid MED badge, with the badge visibly displayed, and all visitors logged, escorted, and identified.
  • Security alarm system: a functioning alarm covering all perimeter entry points and the LAAs, capable of detecting unauthorized entry when the premises is closed.
  • Commercial-grade locks and secure storage: product secured behind commercial-grade locking mechanisms, with cash and inventory in a safe or vault appropriate to the volume held.
  • Occupational licensing (the MED badge): every owner and worker must hold a valid Colorado owner or employee license before touching regulated inventory.
  • METRC seed-to-sale tracking: integration with Colorado’s mandated track-and-trace system, which tags and follows every plant and package from propagation through sale.

Taken together, these mandates are simply Colorado’s statutory rendering of the doctrine every serious physical-security program already follows — deter, detect, delay, respond — with the state supplying the force of law. And because MED-mandated cameras, alarms, and METRC increasingly ride the same networks and cloud accounts, the surveillance-and-tracking stack doubles as an attack surface: a recorder or point-of-sale terminal that can be reached and manipulated from afar is at once a security hole and a compliance breach, which is why the physical program and its cyber services foundations have to be engineered in tandem.

How does Denver’s local licensing layer add requirements?

Colorado is a dual-licensing state: a MED license alone does not authorize operation. A Denver business must also hold a local license issued by the Denver Department of Excise and Licenses, and the city imposes its own conditions on top of the state framework — zoning and buffer requirements that keep premises a set distance from schools, childcare, and other sensitive uses; needs-and-desires and neighborhood-notice processes for new locations; and local inspection authority that can act on security deficiencies independently of the MED. Denver has historically constrained the number and location of licenses, which concentrates operators and makes each site’s standing with the city genuinely valuable.

For a security program, the practical consequence is that two authorities can inspect the same store against overlapping but not identical expectations, and either can jeopardize operation. An elite operator builds a single control matrix that maps every MED rule and every Denver condition to a specific, auditable measure, so the store is provably compliant to whichever inspector walks in — and so a change at either level (a MED rule revision or a Denver ordinance update) triggers a controlled update rather than a scramble.

How long must Denver dispensaries keep video, and what specs matter?

Of every Colorado control, video is the one the MED specifies in the most detail and cites most often. The rules demand not just that cameras are present but that they actually do their job: enough resolution to identify a person, coverage over every regulated activity with no blind spots across the sales floor or product-handling zones, a correct date-and-time overlay, and a minimum 40-day hold on a secured recorder. That 40-day floor matters because losses tend to be found late — during an inventory reconciliation, or when the MED, the city, an insurer, or a detective asks for footage of something that already happened — so the working standard is to retain at minimum what the rule sets and, beyond that, long enough to span your own reconciliation cycle.

Citations and blown investigations in Colorado rarely stem from exotic failures; they stem from ordinary neglect — a lens nudged off its regulated field of view or taped over, a recorder that silently ceased capturing days ago, retention that recycled before the 40-day window closed, a timestamp no longer synchronized to real time, or a DVR sitting where any staffer could wipe it. Serious Front Range operators treat the camera stack as courtroom-grade evidence rather than a box-ticking prop: recorders are bolted down and access-restricted so the very insider the lens might expose cannot delete the proof, health-monitored so a failure pages someone instead of festering as a silent gap, and set up for defensible, chain-of-custody export the moment footage must anchor a MED response, an insurer’s file, or a Denver Police case. That evidentiary rigor is exactly where the physical program and the firm’s investigations capability must be built as a single discipline.

Why is cash the defining risk in Colorado, and how do you control it?

Nothing exposes a Colorado cannabis business like its cash. With marijuana still a Schedule I substance under federal law, the mainstream banks and card networks largely stay away, and the Financial Crimes Enforcement Network (FinCEN) loads heightened Bank Secrecy Act diligence onto the handful of institutions willing to bank marijuana-related businesses. Colorado’s own efforts to charter cannabis-focused financial institutions have repeatedly stalled against federal obstacles, and the federal banking fix promised for years has never hardened into settled law. So Denver operators have to plan around holding and moving real currency — and drive the risk down by design.

Controlling that cash comes down to a short list of non-negotiable habits. Keep the register light by dropping surplus bills throughout the day into a one-way drop safe no cashier can reopen. Hold the bulk in a time-lock or dual-control unit behind a limited-access door, so reaching it always takes two people, never one. Never let a deposit fall into a pattern — a bank run that leaves at the same hour by the same road is effectively a published ambush schedule, so rotate times and routes. Retire the practice of an owner ferrying deposits in a personal car; commission professional armored or secured movement, because a satchel of cash is never more exposed than in the open air between the door and the vehicle, which is why Denver cash-in-transit belongs inside a governed transportation and cargo security protocol. Close each day by reconciling the drawer against both point-of-sale totals and METRC, and never leave currency in view, since an exposed stack is simply an invitation to whoever walks in next.

Denver dispensary back room showing time-lock safe, duress alarm, camera arcs, and tagged product linked to a track-and-trace ledger in navy and gold

How do you prevent robbery and burglary in the Denver metro?

Front Range dispensaries draw a disproportionate share of violent crime for a simple reason: they concentrate cash and resalable inventory behind the widely held — and often accurate — belief that little of it is banked. Denver and Aurora have absorbed repeated runs of overnight break-ins and armed holdups, several of them deadly, and both local law enforcement and the ATF have flagged the trend as an entrenched threat rather than a passing spike. Countering it works in layers. Up front, the deterrent is a staged, controlled entrance — an age-and-eligibility check in a vestibule that stops a visitor before the retail floor, with product and registers kept past a second secured door. Conspicuous cameras, ample lighting, and clean sightlines advertise that the premises is watched and that anyone who tries will end up identifiable on the recording.

The response side belongs to the monitored alarm and, when the risk warrants them, posted officers. Silent duress switches at each till and in the back office give staff a way to call for help without provoking the offender, and every employee should be drilled on a single rule for a stickup: cooperate rather than fight, because stock is insured and a person is not. The overnight problem — burglary — is stopped by the shell of the building and the rating of the safe. Because Denver crews so often come in through the roof or punch through from a neighboring tenancy, hardening cannot stop at the front door: it means reinforced entryways and glazing, sealed roof and party-wall penetrations, interior motion and glass-break sensors wired to a monitored panel, and a safe engineered to hold out longer than police need to arrive. The objective reads plainly and executes with difficulty — price the target beyond what an offender will risk, and if someone tries anyway, ensure the attempt collapses short of the money.

How do you prevent diversion and internal theft under METRC?

The theft that never trips an alarm — product or cash walking out with staff — is usually the costlier one, and it is the loss Colorado’s regulators watch most closely, since keeping legal cannabis from bleeding into the illicit market is the reason the licensing system exists at all. METRC is the state’s front-line defense here, stamping every plant and package with a tracked identity from propagation through the final sale. Yet the ledger only exposes diversion when someone actually reconciles it and chases the gaps. Disciplined Denver operators count physical inventory against METRC on a fixed rhythm, treat every unexplained variance as an open lead instead of a rounding error, and pull the LAA badge log and the camera footage for the same window to turn a fuzzy shortfall into a documented, attributable event.

What the software cannot see, procedure has to cover. Split responsibilities so the person handling product is never the same person keeping its records. Require a second authorized sign-off on returns, waste destruction, manifests, and any high-value sale. Gate limited-access areas by job function so a budtender has no path to the vault, and check that each MED badge is current and worn in plain view. Because insider loss lives in the seams where METRC data, the cash count, and the access record fail to line up, the capacity to stitch those three sources together — the province of financial and forensic investigations — is what lets an operator prove an inside job rather than merely suspect one.

Minimum MED compliance versus an elite Denver program: what is the difference?

Plenty of Denver operators read “we cleared the MED inspection” as “we are secure.” Those are two different claims. The table below sets a bare pass-the-inspection posture against a program actually built to survive both the regulator and the criminal, so an operator can judge which they are running.

DimensionBare MED/Denver minimumProgram built to survive both threats
Guiding aimClear the state and city inspectionKeep staff, inventory, cash, and both licenses intact
SurveillanceCameras up, footage held 40 daysFault-alerting recorder, locked and access-gated, court-ready export
Currency handlingOne safe in the backOne-way drop units, two-person access, armored runs, nightly reconciliation
Holdup readinessA siren and deadboltsStaged entry, silent-duress workflow, rehearsed staff conduct
DiversionKeystrokes into METRCScheduled counts, duty separation, forensic case-building on variances
Regulatory postureFix things after a citation landsLiving matrix tying each MED and Denver clause to a control
Network/cyberFactory password left on the DVRIsolated, hardened camera and POS segments
After an incidentLog it and move onDebrief it to reinforce whichever layer gave way

What is the seven-step framework for a Denver-compliant dispensary program?

A credible Colorado program is built on purpose, working outward from the regulation and the risk. The sequence below mirrors how disciplined Front Range operators put one together.

  1. Reconcile both rulebooks. Pull the MED security regulations in force and the Denver Excise and Licenses conditions attached to the specific address, then build one control matrix that binds every obligation — surveillance, the 40-day hold, alarms, LAAs, commercial locks, MED badging, METRC — to a named, inspectable control.
  2. Profile the actual threat. Run a physical-security risk assessment for the site itself: the surrounding crime picture, the ways the building can be breached, how much cash cycles through, the value of the product on hand, and any prior loss — so the budget chases genuine exposure rather than the checklist.
  3. Fortify the shell and the doorway. Reinforce doors, glazing, roofline, and shared walls against the entry methods Denver burglars actually use; stand up a controlled ID checkpoint that keeps walk-in traffic clear of product and cash; and lay out lighting and sightlines with intent.
  4. Treat cameras and alarms as evidence. Install gap-free, spec-compliant cameras writing to a locked, fault-monitored recorder holding well past 40 days; connect a monitored panel covering intrusion, glass-break, and panic/duress signals; and settle in advance how footage is exported under chain of custody.
  5. Engineer cash and storage. Set drop and time-lock or dual-control safes inside limited-access rooms, hold floor cash to a minimum, book varied secured transport, and reconcile currency to the point of sale every day.
  6. Lock down access, stock, and the network. Issue LAA credentials by role with logged, badge-visible entry, count physical inventory against METRC on a set cadence, separate incompatible duties, and segment and harden the camera and POS networks so the compliance stack itself cannot be quietly altered.
  7. Post, direct, and reassess. Where officers are engaged, run them to written post orders; drill every employee on holdup and duress response; and revisit the whole program on a fixed schedule, mining each incident for the weakness it exposed.

How does Honeybadger secure Denver-area cannabis operations?

Honeybadger Solutions runs cannabis security as one directed, compliance-anchored program, not a bundle of boxes on a wall. The commercial and corporate security practice owns the physical build — translating MED and Denver obligations into auditable controls, running the site risk assessment, hardening the envelope and entrance, engineering the camera and alarm design, and specifying the cash-and-vault architecture — while our transportation and cargo security arm guards cash and product through the transit window where exposure peaks. Because our investigations and financial-forensic teams sit in-house and work globally, the systems we stand up generate the kind of records — locked video, badge logs, reconciled METRC data — that hold up as proof when a diversion, an insider theft, or a holdup must be proven, and our cyber services and security consulting keep the surveillance and POS stack hardened and the whole program current as Colorado and Denver rewrite their rules.

We operate from three Arizona offices — Casa Grande headquarters, Phoenix, and Oro Valley — and serve everyone from a single storefront to a multi-state operator across Arizona, the wider United States, and abroad. Our remote practices — cybersecurity, digital forensics, financial investigations, and background intelligence — reach the Denver market as standard, run out of our in-house teams. Protective operations and on-the-ground guarding are commanded through our vetted-partner network: California, Texas, and Florida are established theaters, and the Colorado Front Range is served on a mandate basis, all directed from the Arizona home command to one uniform standard, so an operator running several Denver-area doors is defended and audited identically at each. Operators weighing a new Front Range site or pressure-testing an existing setup can reach our Phoenix command to arrange a confidential assessment.

Frequently asked questions

How long does Colorado’s MED require dispensaries to keep surveillance footage?

Under Colorado MED rules, a licensed premises must preserve its video for at least 40 days on a locked, access-restricted recorder and hand it over to regulators when asked. In practice, operators should treat 40 days as the floor and hold footage at least through a full inventory-reconciliation cycle, because losses commonly surface weeks late. Confirm the current MED rule text before setting your retention, since the numbers are revised periodically.

Does a Denver dispensary need both a state and a city license?

It does. Colorado runs a dual-licensing system: every Denver operator has to carry a state license from the Marijuana Enforcement Division and a separate local license from the Denver Department of Excise and Licenses. The city layers on its own terms — buffer distances from schools and other sensitive uses, neighborhood-notice steps, and its own inspectors — and either authority can move against a security shortfall on its own.

Why is a Colorado dispensary so cash-heavy, and how is that cash protected?

Federal prohibition keeps most banks and card networks at arm’s length, and FinCEN piles extra Bank Secrecy Act scrutiny on the few that participate, so Denver stores frequently transact largely in cash. The money is protected by keeping little on the floor via one-way drop safes, holding the bulk in time-lock or dual-control safes inside limited-access rooms, moving it only by professional secured transport on rotating times and routes, and reconciling it against POS and METRC records daily to surface insider theft fast.

What is METRC, and how does it curb diversion?

METRC is the seed-to-sale track-and-trace platform Colorado mandates, giving every plant and package a tracked identity from propagation to sale. It only curbs diversion when its numbers are reconciled against physical counts on a strict cycle and the discrepancies are actually worked — checked against LAA access logs and camera footage — rather than written off. The platform is the ledger; the reconciliation and investigative rigor around it is what keeps product out of the illicit market.

About Honeybadger Solutions

Honeybadger Solutions is an Arizona-licensed security and investigations firm providing intelligence-led protective security, security consulting, investigations, executive protection, and cyber services for cannabis operators and enterprises across the country and overseas. Our cybersecurity, digital-forensics, financial-investigations, and background-intelligence practices are staffed in-house and delivered worldwide, including remotely into Colorado. Guarding and protective operations run through a commanded, vetted-partner network — established in California, Texas, and Florida, with the Colorado Front Range covered on a mandate basis and directed from Arizona home command.

Offices: Casa Grande (HQ), Phoenix, and Oro Valley, Arizona.
Phone: 602-725-2818
Confidential consultation: talk through a Colorado MED- and Denver-compliant cannabis security program with our team.