The last zero-day I used was years ago. I have not needed one since

Every security vendor sells you technology. EDR, XDR, SIEM, SOAR, NGFW, CASB, ZTNA, a new acronym every quarter, each one promising to close the gap the last one opened. Boards approve the spend. CISOs defend the stack. Analysts swivel between dashboards. And somewhere in the middle of that orchestra, a help-desk technician at your MSP accepts a password reset over the phone from a voice that sounds tired and urgent and happens to know the name of the CFO’s assistant.

That is how it happens. That is how it has always happened.

Hackers do not go after technology. We go after people. The admin who keeps privileged passwords in a notepad file on his desktop. The sales manager who forwards his inbox to Gmail because Outlook on his phone is slow. The employee whose off-hours browsing on the company laptop feeds every drive-by exploit kit on the open web. The contractor reusing the same passphrase across fourteen client tenants because remembering more is hard. The CFO approving a wire on a Friday afternoon because he has a flight to catch. The new hire opening the PDF because HR told her to. The MSP technician still using the domain admin account you thought was decommissioned eighteen months ago.

None of this requires an exploit. It requires patience, a phone, a spoofed caller ID, a LinkedIn scrape, and the willingness to wait for the right moment. The technology on your endpoints is irrelevant when the human turns the key from the inside.

The economics settle it. A reliable exploit costs six figures to develop and burns on first use. A phone call costs nothing and can be reused forever. Your annual awareness training is a ritual your people clicked through in fourteen minutes while on a conference call, and the metrics that measured it told you they passed and let’s be truthful most firms make this training beyond boring and it checks all the corporate boxes but is not anything real life based. 

From our side, the best part is that you will not see it coming, because your controls are not looking for it. Your SIEM is tuned to detect malware. It does not detect a tired technician. Your EDR flags suspicious binaries. It does not flag a legitimate login from a legitimate credential at three in the morning from a country where you do business. Your MFA is defeated by a polite caller asking the help desk to push the prompt one more time.

Every breach I have worked, inside the glass or across the table, has turned on a human decision. Not a patch. Not a firewall. A person, under pressure, making a choice that felt reasonable in the moment.

The tools are necessary. They are not sufficient. Until you harden the people, the people are the door.