The French Taunter Problem: Why Your Castle Keeps Getting Breached
Twenty-five years.
That’s how long I’ve been doing this cybersecurity thing. And for a guy who went to school to be a music teacher, I still have days where I can’t quite wrap my head around how I ended up here. But in those 25 years, I’ve picked up my fair share of stories. I’ve lived through more than my fair share of stories… some triumphant, most humbling, and a few that still make me shake my head in disbelief.
I’ve served in enterprise security leadership roles running programs for multi-billion-dollar international corporations. I’ve been the consultant helping mom-and-pop shops that just want to print paychecks for the local business and make enough money to take care of their families. I have seen a lot. And one story in particular still sticks with me like an earworm from an ’80s power ballad.
The Heist Nobody Saw Coming
About 15 years ago, we were hired to pen test a company. The goal was simple: see if we could break into their systems and get some sensitive data. This wasn’t some abstract “red team exercise.” This was the real deal, complete with a physical penetration component where we’d try to walk right into their office.
But we started where all good stories start: on the outside looking in.
One of my pen test buddies used a technique called “password spraying.” If you’re not familiar with it, here’s how it works: you harvest every username you can find on LinkedIn, through open-source intelligence tools, wherever. Then you pick one password. Just one. And you try logging into every single account with that same password.
Now, far be it from me to guess what passwords people are using at their companies (wink wink), but I will say there are patterns: Company123… Winter2026!… We’re creatures of habit, and those habits make it easy for people to do their jobs (and also incredibly easy for attackers to break into our companies).
My teammate on this engagement asked himself a simple question: “If I were working the help desk, onboarding new employees and contractors, what’s the easiest-to-remember password I could possibly create for them?”
It worked.
Not just once. Not twice. Three times.
Three separate people were still using that default password and had never changed it. He logged in remotely to email and a couple of other applications. That was bad enough. But remember: this was a pen test with a physical component.
So my buddy showed up the next day, dressed like he belonged, and tailgated right through the front door. Nobody challenged him. Nobody asked to see a badge. He found an empty desk, plugged in his laptop, and used those stolen credentials to look exactly like someone who was supposed to be there. He checked email. He browsed file servers. He looked like an insider because, from a login perspective, he was an insider.
But because he’s a pen tester (and pen testers tend to have skills beyond basic email checking) he used those passwords to do something both spectacular and terrifying: he stole the company’s entire virtual machine infrastructure.
And I mean entire.
This was over a decade ago, so he had an external hard drive (one terabyte, which was pretty sick at the time) and he filled that thing up and walked right out the front door with their entire digital operation in his backpack.
Groundhog Day, But Make It a Security Breach
I am here, over a decade and a half later, and I’m still having this exact same conversation.
How do we enable people to onboard quickly and do what we want them to do (contractors, employees, everybody) while simultaneously keeping people like that pen tester (or worse, an actual attacker) outside of our systems?
“But Jerod,” you might say, “we’ve got multi-factor authentication now! We’re safe!”
Sure. Except we’ve seen a massive uptick in MFA fatigue attacks. Attackers just keep sending login attempts to someone who’s trying to do their job, and they get pop-up after pop-up after pop-up on their phone. Eventually, frustrated and just wanting to get back to the spreadsheet they were working on, they click “Yes” to make it go away.
And the attacker walks right in.
What’s the Password? (You English Pig-Dogs!)
It blows my mind as a professional that we’re still using the same basic authentication model as the French taunter in Monty Python and the Holy Grail.
“What’s the password, you English pig-dogs?”
We come up with a secret. We give it to someone and say “protect this.” And then we just… assume that anyone who knows this secret is really that person. Then we tack on another secret (MFA) that changes every few seconds. And we call it good.
And yet we still see organizations compromised through attackers taking advantage of our people.
Let me be crystal clear about something: Our people are not stupid.
The people we hire to help us build and grow our organizations, the ones doing the actual work that makes the business run, are not the problem. This notion that breaches are “user issues” and that employees are too dumb to protect themselves is one of the most fundamentally broken ways of thinking about cybersecurity.
Our people are smart, capable, and trying their best. The problem isn’t them. The problem is the technology we’re asking them to use.
There’s a Better Way (And It’s Been Right Here the Whole Time)
The thing that gets me genuinely, nerd-out-with-the-product-team excited: we have the capability to solve this problem with technology. We have the ability to create a way for users to log in where we can make absolutely sure we know who that user is before they even hit the login page.
Not after they type in their password. Not after they enter the MFA code. Before.
At SideChannel, our product team has created something that honestly blows my mind. And I say this as someone who gets to take off the fractional CISO hat occasionally and just really geek out about how this technology works.
It’s elegant. It’s simple. And it solves a problem we’ve been wrestling with since before I accidentally fell into this career.
How Enclave Actually Works (The Non-Boring Version)
Here’s what makes Enclave different: instead of relying on passwords (which people forget, reuse, or never change) and MFA codes (which people approve just to make the notifications stop), Enclave uses certificate-based identity and egress routing.
Think of the certificate like a digital passport that your device carries around. Before you ever type “outlook.com” or “salesforce.com” into your browser, Enclave has already verified that you are who you say you are, that your device is authorized, and that you’re allowed to access that specific application.
It happens in the background. Transparently. Your users don’t see it, don’t think about it, and don’t have to make decisions about whether that MFA prompt is legitimate or not.
But from a security perspective? We have such a high degree of confidence that the person accessing Outlook or Salesforce or any of these business-critical apps is really the person they claim to be that it fundamentally changes the security posture.
No more password spraying. No more MFA fatigue. No more hoping that your employees will choose strong passwords and protect them appropriately (because again, that’s not a reasonable expectation… that’s a technology failure).
This Isn’t Just About Technology… It’s About People
I’m sitting here thinking about the organizations I’ve worked with over my career at SideChannel, and every single one of them is doing something unique and special. Nonprofits working to make the world better. Educational technology companies helping kids learn. Med-tech companies developing life-saving innovations.
Every company I’ve worked with has something meaningful to offer, and I’m so grateful that we’ve had the opportunity to help enable that resilience.
Because when we talk about cybersecurity, we’re not just protecting the company. We’re protecting the people who work at the company. We’re protecting the customers and communities that the organization exists to serve. We’re protecting the mission, whatever that mission might be.
And when I put my CISO hat back on after geeking out with the product team, that’s what gets me excited about what we’re seeing in the technology space right now. We can make it so much easier and so much less complex to just let people do their jobs.
We can stop asking employees to be security experts. We can stop blaming users when attackers exploit fundamentally broken authentication systems. We can build technology that works for people instead of creating friction that makes their jobs harder.
The Problems Haven’t Changed, But the Solutions Have
The problems we’re facing today in cybersecurity are not new. That pen test story I told you? It could have happened last week instead of 15 years ago. The techniques have evolved slightly, the tools have gotten more sophisticated, but the fundamental vulnerability is the same: we’re still asking people to protect secrets and make security decisions that they shouldn’t have to make.
What has changed is the technology we can use to solve those problems.
Enclave represents a fundamental shift in how we think about identity and access. Instead of “who do you say you are?” followed by “can you prove it with these secrets?”, we’re asking “do I already know this device and this user?” before they ever reach the login page.
It’s the difference between checking someone’s ID at the door versus hoping they remember the password after they’re already inside.
Let People Do What They Do Best
I started this career accidentally. I was supposed to be teaching music, helping kids find their voice, maybe conducting a high school choir somewhere. Instead, I ended up here, trying to help organizations protect themselves from threats that evolve faster than we can sometimes respond.
But in 25 years, one thing has remained constant: the people doing the actual work… the employees, the contractors, the teams building things… they’re not the weak link. They’re the entire point. The organization exists to enable them to do something meaningful.
Our job in cybersecurity isn’t to make their lives harder with complex password requirements and constant authentication prompts. Our job is to build systems that protect them while getting out of their way.
Enclave does that. It verifies identity before login, blocks unauthorized access automatically, and lets your people focus on the work that actually matters, whether that’s saving lives, educating kids, or building the next big thing.
The French taunter approach has been broken since day one. It’s time we stopped asking people to defend the castle with medieval tools and gave them something that actually works.
Jerod Brennen is VP and Cybersecurity Advisor at SideChannel, where he helps organizations build resilient cybersecurity programs. When he’s not geeking out about security technologies, he’s probably still wondering what his life would have been like as a high school choir director.
Connect with him on LinkedIn or reach out at jerod@sidechannel.com.
