What 1,500 Hours of Cybersecurity Cold Calls Taught Me

Cold calling still works.

For 300 weeks, I spent an hour each day listening to recorded cybersecurity sales calls—real conversations between sales development reps (SDRs) and security leaders. That’s more than 1,500 hours of strangers trying to earn each other’s trust… in under 30 seconds.

The best calls weren’t the ones with the slickest intros. They were the ones where relevance, timing, and empathy converged.

Below are five cold calls I still think about often. They shape how I think about outreach—and how to establish trust when seconds count.

1. The Risk Pitch That Hit Home

A rep selling an integrated risk management platform didn’t waste time on generic questions. Instead, they led with something hyper-relevant:

“We worked with [Competitor Hospital Network] to operationalize the NIST CSF framework across their various subsidiaries. Before our platform, risk was fragmented—now it’s consolidated into one view for the CISO and compliance team.”

Then they shared a detailed case study, including how the hospital reduced time-to-assessment by 38% and improved cross-functional risk ownership.

The buyer, a cyber risk officer at another hospital network, immediately leaned in.

Takeaway: Specificity builds trust. Referencing a peer’s real outcome and mapping it to a known operational gap positioned the rep as credible—and earned them a booked meeting in under five minutes.

2. The Ransomware Wake-Up Call

This call didn’t rely on flashy language—it relied on empathy.

The SDR was speaking with a CISO new to their role at a mid-sized manufacturer. The company handled large volumes of packaged goods requiring printed labels to pass through retail.

“You’ve probably seen the ransomware attack on JBS meat processing plant. We’re not here to scare you, but we’ve helped teams like yours build backup controls so that a ransomware event doesn’t shut down labeling operations. One of our co-founders used to be a CISO at a similar company—he saw this incident play out firsthand.”

What made it resonate? They tied a real-world event to a core business risk—one the CISO hadn’t fully prioritized yet.

Takeaway: Empathy beats hype. If the risk is real and the stakes are high, you don’t need a scare script—just a business impact that matters.

3. The Compliance Call That Didn’t Waste Time

This rep skipped pleasantries and got right to the point:

“I saw the new regulatory guidance from the EDPB last month—looks like it affects how privacy impact assessments are documented. Are you responsible for those updates internally?”

The prospect, a privacy officer at a global SaaS provider, paused and said:

“Yes. It’s literally sitting on my desk right now. I’ve been dreading the manual updates.”

The rep didn’t pitch a platform right away. They asked how the team tracked controls across frameworks and then offered a short demo of automated mapping between GDPR Article 35 and NIST CSF controls.

Takeaway: Formal tone + relevance = fast traction. Especially in regulated spaces, professionalism and insight are more trustworthy than charm.

4. The Real-Time Zero-Day Check-In

During a week when a zero-day exploit in a popular remote access tool was all over the news (CVE-2025-XXXX), this SDR picked the perfect moment to call.

“I know this is a cold call, but I figured you’re probably triaging CVE-2025-XXXX. We’re helping teams validate patch coverage across distributed endpoints—would it help to benchmark your posture?”

The buyer was a senior engineer at a regional bank. While the patch wasn’t their top priority yet, they appreciated real-time relevance and agreed to a technical walkthrough of the validation tool the next day.

Takeaway: Timeliness matters. Showing up with helpful context during a crisis is more valuable than pushing a pitch.

5. The Conversion Call Built on Collaboration

This rep didn’t pretend to know everything. Instead, they led with clarity:

“I won’t assume I know your exact environment. But we’re seeing a 27% uptick in endpoint-related breaches in [Industry Segment], especially around off-network assets. Based on that, our marketing and threat teams created short playbooks to plug into existing EDR workflows.”

What stood out wasn’t the pitch—it was the alignment. The SDR referenced collaboration between sales, product, and marketing, and followed up with a one-pager built from real-world use cases.

Takeaway: Great calls are team sports. Prospects can tell when messaging is tested across functions, not just recited from a playbook.

Script: Outbound Call for a Risk Management Platform

SDR:
“Hi [Prospect Name], this is [Your Name] with [Company]. I noticed [Prospect Company] recently addressed a phishing campaign tied to multi-factor fatigue—looked like it exposed gaps in unified threat visibility.

We help similar security teams reduce cross-functional alert fatigue and streamline risk triage. In fact, [Peer Company] reduced MTTR by 45% after consolidating threat and compliance controls on our platform.

Would it be worth 15 minutes to see if we can help you cut through the noise, too?”

If met with hesitation:
Follow up with a 2-sentence case study, or cite a timely analyst stat (e.g., Gartner’s projection that 60% of orgs will unify risk and compliance tooling by 2026).

1. Research Beyond Buzzwords
   Don’t just mention AI—know which frameworks (e.g., NIST 2.0), tools (e.g., CrowdStrike, Splunk), and threats (e.g., MOVEit) your prospects are dealing with.
2. Speak Their Language
   CISOs and security engineers don’t want to be “educated.” Use technical precision and show respect for their domain knowledge.
3. Build on Real Trends
   Tie your outreach to known exploits (e.g., zero-days), regulatory shifts (e.g., DORA, SEC breach disclosure rules), or industry breach patterns.
4. Collaborate Across Teams
   Get your marketing and product teams involved. Great calls often rely on internal insights, not external pitches.
5. Invest in Professionalism
   Every call is a shot to build trust. Get the facts right. Skip the gimmicks. Show up like a pro.

1. What made these cold calls stand out?
   They were specific, relevant, and timely. Each caller came prepared with insight—not just intention. That built trust quickly.
2. Should reps still use AI for call prep?
   Yes—but don’t stop at surface-level research. Use AI to find real signals, like recent CVEs or regulatory updates. If it doesn’t resonate in 20 seconds, it’s not insight.
3. Why do some calls fail?
   Forced rapport, fear-based FUD, and recycled buzzwords destroy trust. If you can’t name a risk, role, or regulation your prospect actually cares about, don’t call yet.
4. How much prep does a good call take?
   Five to ten focused minutes. But don’t waste that time on vanity insights—dig into breach trends, job shifts, vendor consolidation, or security architecture gaps.
5. How can SDRs make cold calling work today?
   Be relevant. Be real. Bring value early. And talk to marketing—often, they’ve already created the stat, story, or asset that will help you break through.