A prospective client asked four times - four - "do you have experience in OT?" Each time we explained: diverse OT environments across multiple industries and vendors, all tested safely. An Electronic Engineering degree (yes, people care about academics...). Team members who've worked in the industry (wrong industry!). Years of refined methodology. None of it landed.

The preconception was locked in before the call started: pen testers are IT guys who don't understand OT. Nothing we said was going to change that.

Here's what's mad about that. What we do is understand OT. We walk around plants. We have the dirty PPE to prove it. We sit in control rooms with operators and plant engineers talking about what keeps them up at night. We are the opposite of "IT guys".

A huge part of what we do is listening. We speak with operators who've seen things go wrong. Plant engineers who know what could cause the most harm without triggering safety systems. So much of OT is safety engineering - random, uncoordinated failures should not cause catastrophic failure. We're the people who work out whether an attacker could trigger those things deliberately and remotely. Something that happened once by accident? We work out if someone could make it happen on purpose.

Step 1 is understanding the process. A chemical plant is engineered completely differently to an automated warehouse, railway signalling system, or cruise ship. We work with your people to understand the process, work out which bits we can break, then go back and work out if that causes impact. Sometimes other controls stop it. Sometimes we bypass those controls. This needs constant dialogue. It's what we do. It's what we've been doing today.

We understand the constraints. We know what techniques are safe, which systems you don't touch, and the consequences of getting it wrong.

But here's the thing that really gets me.

The people who build and maintain OT systems are not always best positioned to break them. That's not a criticism - it's a different skillset. But the engineers who design, commission and maintain these systems are aiming to keep them operational. They think within what the manufacturer says is possible. They assume implementation matches design. They follow safety engineering, not security engineering.

We work outside what people think is possible and challenge those assumptions.

I don't know what would have convinced this person. But the industry has a real problem gatekeeping OT security behind a narrow idea of what "OT experience" looks like. If your only measure is whether someone has spent 20 years configuring PLCs, you're missing the people best placed to find the vulnerabilities in them.

The best security testing combines operational knowledge from people on site with adversarial thinking from testers who break things. That's not a gap in our capability. That's the whole point.