Based on a Narrative post in LinkedIn.
The most expensive lesson in cybersecurity is learning that tools don’t protect you. People, process, and discipline do.
A CISO recently watched their $50,000 penetration test unfold in real time. By hour four, the pen tester had domain admin. The company spends $2 million a year on security. The CISO wanted to cry.
This wasn’t a sophisticated nation-state attack. There were no zero-days. No advanced persistent threats. No cutting-edge tradecraft. The pen tester used techniques from 2010 — and walked straight through a $2 million security stack like it wasn’t there.
How It Happened: A Timeline
The test started at minute zero with a phishing email to HR. Credentials captured. The CISO’s first reaction: “At least our controls will stop lateral movement.”
They didn’t.
By hour two, an unpatched server was exploited and the pen tester had access to the finance network. The CISO’s next thought: “Okay, but they won’t find admin credentials.”
Hour four. A shared folder. A file called Admin_Password.txt. Domain admin access — handed over without a fight. By hour six, the customer database had been exfiltrated. Game over.
The Debrief That Hurt
When the dust settled, the pen tester delivered the verdict that stung most:
“You have excellent security tools. We didn’t need zero-days. We used techniques from 2010. Everything we did should have been caught.”
The breakdown told the whole story:
- Sophisticated attacks used: 0
- Basic attacks used: 23
- Zero-days exploited: 0
- Unpatched vulnerabilities found: 8
- Advanced techniques required: 0
- Weak passwords and old accounts leveraged: Everything
The $2M Stack That Failed
Here’s what the company had:
- $200k EDR platform
- $150k SIEM
- $100k threat intelligence feed
- $80k password policy tool
- $50k DLP solution
And here’s what they didn’t have:
- Consistent patching — over 200 exceptions outstanding
- Enforced MFA — sitting at just 60% adoption
- Clean access control — admin accounts from 2019 still active
- Followed password policy — Password123 was a real, live credential
- Configured DLP — installed, and never turned on
Working fundamentals: $0.
The password policy tool couldn’t enforce what leadership hadn’t mandated. The EDR was logging everything and alerting on nothing. The SIEM had tuned out the noise — along with the signals. And the DLP solution, bought and paid for, had never been switched on. Not misconfigured. Never configured.
The Board Meeting That Followed
When the CISO faced the board, the question was blunt: “We invested $2 million in security. How did this happen?”
The answer was equally blunt: “We bought expensive tools and ignored the free basics.”
The board pushed for detail. The CISO laid it out plainly — a $200k EDR that can’t help against unpatched servers. Password tools that nobody uses. DLP that was never configured. And then the line that should be printed on every security budget proposal:
“We can’t buy our way out of lazy security.”
The Real Problem
The cybersecurity industry has a spending addiction dressed up as a strategy. Vendors sell confidence. Procurement teams buy logos. And somewhere between the board presentation and the production environment, the actual work of security — patching, hardening, enforcing, auditing — gets quietly deprioritised.
Tools are multipliers. If your foundation is weak, a more expensive tool just gives you a more expensive false sense of security. You’re not compounding strength. You’re compounding the gap between what you think you have and what you actually have.
Attackers know this. They don’t open with zero-days because they don’t need to. They phish HR, find the unpatched server, check the shared drives, and walk out with the crown jewels using a playbook that’s fifteen years old. Because it still works.
What They Fixed — For $30k
Six months after the humiliating pen test, the organisation made changes. Not to their tools. To their fundamentals:
- MFA made mandatory — no exceptions
- Auto-patching enabled — no more exception lists
- Access review implemented — any account unused for 90 days, removed
- Password manager rolled out — mandatory across the organisation
- Weekly control testing introduced
Total cost: $30,000.
Then they ran the follow-up test. Same pen testers. Same techniques. The results were almost unrecognisable:
- Time to initial compromise: 3 days (vs. 32 minutes)
- Time to domain admin: Never
- Critical findings: 3 (vs. a full compromise)
What changed? Not their tools. Their fundamentals.
The Lesson the Numbers Tell
The math here is stark and uncomfortable for every vendor selling a six-figure platform:
$2M in advanced security < $30k in working fundamentals.
Fancy tools without basics aren’t just insufficient — they’re expensive theatre. A stage set that looks like security from the outside, while the doors are unlocked around the back.
Before You Buy the Next Shiny Tool
Stop. And answer these questions honestly:
- Are we patching everything, on schedule, with no exceptions as the default?
- Is MFA enforced everywhere — not encouraged, not at 80%, but enforced?
- Did we remove last year’s dormant accounts?
- Are passwords actually strong, and are we verifying that?
- Do we test our controls regularly and act on the findings?
If the answer to any of those is no — fix that first. Before the next renewal. Before the next demo. Before the next budget request for something new and sophisticated.
Because your expensive security stack is useless if attackers can get in with Password123.
The Uncomfortable Truth
The CISO in this story didn’t fail because they spent too little. They failed because spending became a substitute for doing.
Security is not a procurement exercise. It’s an operational discipline. And no vendor, no matter how impressive the demo, can buy you out of the need to actually practice it.
The most protected organisations aren’t the ones with the biggest budgets. They’re the ones where the basics are boring — because they’re done.
Don’t let your stack become your excuse.
