A company hired us to run a real penetration test against their network this morning. What we found should concern every business owner reading this.
Not a simulation. Not a tabletop exercise where everyone sits in a conference room and talks about hypotheticals. I ran actual penetration testing tools against a live machine, the same tools a real attacker would use, and I watched what happened.
The cybersecurity industry has a dirty secret: most of the products they sell you are designed to catch yesterday's threats, not today's.
The Test
Here's what we did. We targeted a workstation that had the most widely used endpoint detection and response (EDR) platform in the managed IT industry installed on it. This is the product that thousands of IT companies rely on to protect their customers. The one they point to when you ask "are we secure?" The one that shows up in every sales pitch and every compliance checklist.
I ran a full attack chain. Credential harvesting. Privilege escalation. Lateral movement techniques. The kind of thing that a moderately skilled attacker could pull off with freely available tools and a YouTube tutorial.
Then I sat back and watched two dashboards.
Two Dashboards, Two Very Different Stories
As part of our process, we deploy monitoring software on the target workstation to capture everything -- every connection, every process, every escalation attempt. This is how we build the report that shows the company exactly where their weaknesses are. That monitoring picked up the attack within seconds. Within minutes, we had a full picture of what was happening and where.
Then I looked at the EDR dashboard. Nothing. Not a single alert.
I waited. Refreshed. Checked the agent status to make sure it was running. It was. The software was installed, active, healthy, doing exactly what the vendor said it would do.
It just wasn't detecting anything.
Seven hours later, still nothing.
Let that sink in. The product that was supposed to be the last line of defense, the thing this company was told would catch the bad guys, completely missed a real attack happening on a live machine. Not a theoretical attack. Not a "what if" scenario. A real one.
Why This Keeps Happening
This isn't a fluke. This is the norm. And the reason is simple: most cybersecurity products are built to check a box, not to actually protect you.
The EDR industry figured out something brilliant from a business perspective and terrible from a security perspective. They realized that most buyers don't test the product. Ever. You buy it, your IT company installs it, it shows a green checkmark on a dashboard, and everyone moves on. The compliance auditor sees the checkmark. The insurance company sees the checkmark. Nobody ever asks: "but does it actually work?"
So the vendors optimize for checkmarks. They optimize for dashboards that look impressive. They optimize for sales decks with threat intelligence feeds and AI buzzwords. What they don't optimize for is catching an actual attacker sitting on your network.
I've been in managed IT for 15 years. I've watched this industry sell the same recycled approach for a decade while threats evolved at a pace that makes those tools look like antivirus from 2005. Signature-based detection. Behavioral analysis that only catches the most obvious, noisy attacks. And a whole lot of marketing.
The Question You Need to Ask
If your IT company installed software on your machines and told you it would protect you, ask them one question: have they ever actually tested it?
Not "does the vendor say it works?" Not "is it on Gartner's magic quadrant?" Not "does it have a cool dashboard?" Have they, your IT provider, the people you're paying to keep you safe, ever run a real attack against your environment to see if the tools they sold you actually do what they promised?
I already know the answer for 95% of you reading this. They haven't. They installed it and moved on. Maybe they ran the vendor's own test, which is like asking a student to grade their own exam.
That's not security. That's theater.
What Actually Works
Real security isn't about trusting any single product. It's about layering defenses, testing them regularly against real attack techniques, and not assuming something works just because a vendor says it does.
The monitoring we deployed during this test caught the attack in seconds. The industry's most popular EDR platform missed it entirely for seven hours. That's not a product gap. That's a philosophy gap -- between security that's tested and security that's assumed.
Stop Trusting the Checkmark
I'm not writing this to scare you. I'm writing this because I'm tired of watching business owners spend real money on products that give them a false sense of security. I'm tired of seeing IT companies sell tools they've never tested and call it "cybersecurity."
If you're a business owner, demand proof. Ask your IT company to run a penetration test against your own environment. Ask them to show you, not tell you, that their tools actually catch real attacks. If they can't do that, or won't, you have your answer.
And if your IT provider can't show you real test results from your own environment, that tells you everything you need to know.
The cybersecurity industry has spent years selling you confidence. It's time to start demanding proof.