“A boxer derives the greatest advantage from his sparring partner…”
— Epictetus, 50–135 AD
Hands up. Chin tucked. Knees bent. The bell rings, and both boxers meet in the center and circle. Red throws out three jabs, feints a fourth, and—BANG—lands a right hand on Blue down the center.
This wasn’t Blue’s first day and despite his solid defense in front of the mirror, he feels the pressure. But something changed in the ring; the variety of punches, the feints, the intensity – it’s nothing like his coach’s simulations. Is my defense strong enough to withstand this? He wonders, do I even have a defense?
His coach reassures him “If it weren’t for all your practice, you wouldn’t have defended those first jabs. You’ve got a defense—now you need to calibrate it. And that happens in the ring.”
Cybersecurity is no different. You can have your hands up—deploying the right architecture, policies, and security measures—but the smallest gap in your defense could let an attacker land a knockout punch. The only way to test your readiness is under pressure, sparring in the ring.
The Difference Between Practice and the Real Fight
In boxing, sparring partners are abundant. Every day, fighters step into the ring to hone their skills against real opponents. But in cybersecurity, sparring partners are more sparse. The equivalent is penetration testing, but a pentest happens at a typical organization only once a year, maybe twice, at best every quarter. It requires extensive preparation, contracting an expensive specialist agency, and cordoning off the environment to be tested. As a result, security teams often go months without facing true adversarial activity. They’re compliant, their hands are up and their chins are tucked. But would they be resilient under attack?
The Consequences of Infrequent Testing
1. Drift: The Slow Erosion of Defense
When a boxer goes months without sparring, their intuition dulls. He falls victim to the concept known as “inches” where he has the right defensive move but he misses it by inches, getting caught by shots he knows how to defend. In cybersecurity, this is akin to configuration drift: incremental changes in the environment, whether that be new users, outdated assets, no longer attended ports, or a gradual loss in defensive calibration. Over time, gaps emerge, not because the defenses are gone, but because they’ve fallen out of alignment.
2. Undetected Gaps: The Limits of Shadowboxing
A boxer and their coach can only get so far in training. Shadowboxing and drills help, but the coach won’t call out inconspicuous mistakes, that could leave the boxer vulnerable. Neither can they replicate the unpredictability of a real opponent. There are simply too many things that can go wrong. The only way for a coach to assess the state of his boxer is to see how he gets hit and then diagnose why.
Similarly, in cybersecurity, the attack surface is vast and constantly evolving. No one pentesting assessment can anticipate every possible attack vector and detect every vulnerability. The only way to uncover gaps is to test repeatedly against real attack scenarios.
3. Limited Testing Scope: The Danger of Partial Testing
A coach needs to see their fighter tested against a variety of opponents. He may be fine against an opponent who throws primarily headshots, but what about body punchers or counterpunchers? These may be areas for improvement. If a security team only tests against a particular type of threat, and doesn’t broaden their range to other exploits, be they exposed passwords or misconfigurations, they risk leaving themselves exposed to whatever weak access points an attacker finds. For example, a web application might be secure, but what about a leaked credential or a dubious API integration?
Context Matters When it Comes to Prioritizing Fixes
Not every vulnerability is a knockout punch. Just as a boxer’s unique style can compensate for technical flaws, compensating controls in cybersecurity can mitigate risks. Take Muhammad Ali, by textbook standards, his defense was flawed, but his athleticism and adaptability made him untouchable. Similarly, Floyd Mayweather’s low front hand might seem like a weakness, but his shoulder roll turned it into a defensive strength.
In cybersecurity, vulnerability scanners often highlight dozens—if not hundreds—of issues. But not all of them are critical. All IT environments are different and a high-severity CVE might be neutralized by a compensating control, such as network segmentation or strict access policies. Context is key because it provides the necessary understanding of what requires immediate attention versus what doesn’t.
The High Cost of Infrequent Testing
The value of testing against a real adversary is nothing new. Boxers spar to prepare for fights. Cybersecurity teams conduct penetration tests to harden their defenses. But what if boxers had to pay tens of thousands of dollars every time they sparred? Their learning would only happen in the ring—during the fight—and the cost of failure would be devastating.
This is the reality for many organizations. Traditional penetration testing is expensive, time-consuming, and often limited in scope. As a result, many teams only test once or twice a year, leaving their defenses unchecked for months. When an attack occurs, the gaps are exposed—and the cost is high.
Continuous, Proactive Testing
To truly harden their defenses, organizations must move beyond infrequent annual testing. Instead, they need continuous, automated testing that emulates real-world attacks. These tools emulate adversarial activity, uncovering gaps and providing actionable insights into where to tighten security controls, how to recalibrate defenses, and provide precise fixes for remediation. Doing it all with regular frequency and without the high cost of traditional testing.
By combining automated security validation with human expertise, organizations can maintain a strong defensive posture and adapt to evolving threats.
Learn more about automated pentesting by visiting Pentera.
Note: This article is expertly written and contributed by William Schaffer, Senior Sales Development Representative at Pentera.
