Heroic training: Are you settling for a participation trophy? The case for effective penetration testing

Bottom Line Up Front: Most penetration testing is expensive compliance theater. Real penetration testing is heroic practice: rigorous, comprehensive preparation that builds the confidence under pressure your organization needs to face AI-powered threats. In the following analysis, we’ll explore how a cybersecurity team’s commitment to effective, challenging training can inspire the rest of the organization and become the foundation of a security-first culture.

Tough training transforms zeroes into heroes

Training is part of the hero’s journey. The template is well known: introduce weak hero > boss bully flattens weak hero > wise teacher trains hero > hero emerges from training transformed > strong hero confronts and flattens boss bully > we cheer.

Iconic heroes like Luke Skywalker, Daniel LaRusso and the Average Joes in Dodgeball have rolled off this narrative conveyor belt to delight and inspire audiences. In spite of the fact it is the same progression every time, we never tire of this storyline.

Ted Lasso is a more recent variation on this theme. A mid-Western college football coach takes a job coaching a mediocre English soccer team recently acquired in an acrimonious divorce settlement by a ferociously bitter divorcee. Coach Ted uses unorthodox training psychology and practice methods to weld his rag-tag team together and lead them to victory. Haven’t watched Ted Lasso? Watch the first two seasons … you’ll thank us later.

Along his way, Ted runs into a problem with his arrogant star player, Jamie Tart. Jamie insults his teammates and bullies the low-performers into near incapacity. Ted, who is wrestling with his own demons, has had enough. In one memorable scene, Ted walks into the locker room where diminutive but brilliant coach Nate tells him Jamie has decided not to participate in practice that day.

What follows is an epic rant inspired by the Allen Iverson “practice” rant we referenced last month, but with a crucial twist:

Ted Lasso’s take on practice

“You’re sitting in here. You’re supposed to be the franchise player, and yet, here we are talking about you missing practice. You know you’re supposed to be out there. You know you’re supposed to lead by example … We’re talking about practice with your team, with your teammates. Only place that we get to play together.”

Where Iverson made the case that what happens in the game is what matters, Ted makes the opposite case: practice is essential, but only the right kind of practice, and practice that inspires others to greatness.

Ted understands that championship-level performance requires championship-level preparation. But not all practice creates champions; Ted understood that championship-level performance requires serious, innovative championship-level preparation.

He introduced innovative drills designed to target his team’s specific weaknesses, most pressing, their lack of cohesion. For example, he had offensive and defensive players switch roles for versatility, connecting teammates with red cord during scrimmages to build awareness and support. Ted’s practice wasn’t about checking boxes; it was engineered preparation that forged team identity and competitive advantage.

Ted appreciated the symbiotic relationship between a team and its fans so he invited the team’s fans to the stadium to watch them practice. Not only did their presence encourage the team to take practice seriously, the team’s display of discipline and camaraderie inspired the fans. That’s the effect of heroic training.

But that is not what most of our compliance-oriented cybersecurity teams are doing and it’s not what most vendors are offering.

Checklist practice ≠ heroic training

Unlike Coach Ted’s purposeful practices designed to solve the team’s game-day deficiencies, the cybersecurity industry is flooded with offerings designed to satisfy compliance checklists, not actual problems. These tools deliver the cybersecurity equivalent of having players run the same basic drills every practice session without any strategic purpose or innovation. These surface-level assessments find obvious vulnerabilities, generate impressive-looking reports, and help organizations feel good about their security posture. But they don’t answer the question that keeps executives awake at night: “What happens when real attackers target us?”

This is an especially important question because many organizations confuse vulnerability scanning with actual penetration testing. Vulnerability scanning is automated software that identifies potential weaknesses … that’s just one phase of actual pen testing. Effective  penetration testing requires skilled professionals to actively exploit vulnerabilities, test social engineering susceptibilities, and demonstrate real-world attack scenarios that automated tools simply cannot replicate.

This isn’t heroic practice: it’s just for show. Like Jamie Tart showing up to the locker room but refusing to actually practice, these assessments create the appearance of preparation without building real capability.

Meanwhile, AI-powered threats are training like Olympic athletes, developing new techniques daily, and studying your industry’s weaknesses with machine precision. Organizations that continue relying on checkbox compliance are choosing to remain weak heroes in a world where the boss bullies have gotten exponentially stronger and more numerous.

Effective cybersecurity practice

Real security testing starts with comprehensive scoping that most vendors skip entirely. Here’s what Richey May’s heroic practice methodology includes:

Network Infrastructure Assessment

• Complete inventory of live IPs externally and internally
• Cloud environment mapping across Azure, AWS, GCP platforms
• Compliance requirement analysis (PCI, SOX, regulatory frameworks)
• Engagement hour protocols for business continuity

Application Security Deep Dive

• Multi-URL web application testing with page-level analysis
• User role testing across admin, customer, and limited access levels
• API endpoint comprehensive evaluation
• Tech stack vulnerability assessment covering languages, databases, and cloud integrations

Environmental Scope Definition

• Development, UAT, and production environment testing protocols
• Live system impact assessment and mitigation strategies
• Incident response integration planning
• Stakeholder communication frameworks

But here’s where Richey May’s approach transcends standard penetration testing: we don’t just find vulnerabilities. We demonstrate blast radius effects by looking beyond immediate damage to potential impacts which limits secondary losses and fully contains attacks.

Instead of simply reporting technical vulnerabilities like SQL injection flaws in login forms, comprehensive testing demonstrates real impact by showing how attackers could access customer databases and exfiltrate 500,000 Social Security numbers in under 20 minutes using publicly available tools.

This approach transforms security assessment from a surface-level compliance exercise into a business transformation conversation. Rather than just protecting against threats, comprehensive penetration testing enables business growth by building customer trust, supporting operational continuity, and creating competitive advantages through superior security posture.

Suddenly, executives understand why cybersecurity investment matters. The cybersecurity team gains credibility and resources. The organization develops genuine security awareness rather than checkbox fatigue.

The heroic practice cycle: testing, remediation, and retesting

But heroic practice doesn’t end with the report. If you run a penetration test and don’t remediate the findings, that was a waste of penetration testing. Inspiring cybersecurity heroes complete the transformation cycle: they test rigorously, remediate diligently, and retest to validate their improvements.

The inspirational ripple effect: how cybersecurity excellence transforms organizations

Championship-level organizations don’t settle for annual compliance testing. They embrace quarterly assessments that ensure continuous improvement and adaptation to evolving threats. This frequency demonstrates the kind of commitment that separates winning organizations from those that merely survive.

When cybersecurity teams demonstrate this level of commitment to rigorous testing and act diligently on the results, it creates a ripple effect throughout the organization. Other departments witness the thoroughness, the attention to detail, the refusal to accept superficial answers, and they start asking: “If the security team is going to these lengths to protect our customers, what should we be doing?”

This is how heroic practice becomes organizational transformation. Not through mandates or training sessions, but through demonstrating the kind of commitment that inspires others to rise to their own heroic potential.

Like Ted’s insistence that Jamie lead by example, heroic cybersecurity practice becomes contagious. Teams across the organization begin adopting the same rigorous standards, the same attention to detail, the same commitment to excellence.

But we’ll save that deeper cultural discussion for September, when we explore how cybersecurity excellence becomes the nucleus around which security-first organizational culture develops.

Stop settling for participation trophies and go for the gold

Here’s the urgent truth facing cybersecurity decision makers: AI-powered attacks are rewriting the rules of engagement. Traditional defenses that worked against human attackers struggle against machine intelligence that can adapt in real-time, test thousands of attack vectors simultaneously, and learn from every interaction.

We’re entering Q4, when compliance requirements come due and budgets get finalized. Organizations scrambling for year-end compliance often settle for quick, superficial assessments.

This is the moment to choose differently.

This is your opportunity to reject participation trophy scans and tests and embrace heroic practice that actually prepares your organization for the threats ahead.

Heroic cybersecurity practice isn’t about finding more vulnerabilities. It’s about building the confidence under pressure that separates winning organizations from those that get flattened by increasingly sophisticated threats.

Your cybersecurity team has the potential to become the inspiring nucleus around which your entire organization transforms. But only if they’re willing to embrace the kind of heroic practice that actually prepares for game day.

Ready to move beyond performance art and start the hero’s journey? Email info@richeymay.com.