Marketing, social engineering, and the CISO Fantasy Phish Bowl

2025 playoff update and The Phish Bowl Origin Story: a pandemic, a weird idea, and a bunch of CISOs who said “eh, sure”

If you’re new here: yes, this is real. And yes, it’s as absurd as it sounds. But it's also award-winningly awesome.

Also, for the record: we’re down to the final four in the Phish Bowl playoffs, and after Dustin Sachs’ Puka Nacua dropped an otherworldly 46.5 points on my head (yes, me: the guy who broke his 8-game unbeaten streak), it sure looks like Dustin’s season of destiny in the inaugural Shawn Bowen Memorial Phish Bowl is heading toward the finals—against either Ryan Boulais or Antonio Mecci. Talk about a cinderella season. No, literally, we talked about it for an hour. Watch the video of me, Dustin, and George Finney in Texas discussing the similarities between social engineering, phishing, and marketing. Being together at the world’s most prestigious cyber marketing con, it just felt right.

The Phish Bowl started in 2021, in that bygone era when time lost meaning and “community” meant a Slack channel and lots of talking heads on a zoom call.

I yearned for more. I wanted a social life, a community. I was at work, checking my office fantasy scores, when 2 neurons collided and sparked a thought: I like fantasy sports. I like cybersecurity. What if:

Twelve of the world’s top security leaders joined a fantasy football league… and then used it as a way to talk about cybersecurity through the prism of sports?

This was a truly non-salesey campaign. No demos, no product pitches, no requests for virtual coffees to learn about security awareness pain points (only to sneak in a senior AE who could explain how our product would solve the pain points with 100% effectiveness), or ask for an introduction to a new account. All that was required was weekly cyber-nerdy trash talk, thought leadership, competitive fire, and surprisingly deep conversations about leadership, risk, and human behavior.

And here’s the part that still makes me laugh: from a traditional demand-gen perspective, it makes no sense. It’s not ABM. Not virtual roundtable events with a progressive ask. If we were talking about the marketing funnel, it's not really TOFU, MOFU, or BOFU. You could say it's in the upside-down of the TOFU-verse if you're savvy about dark funnel stuff.  And yet it's been a win-win for all of us (well, except for the 11 players who lose each year in the league).

We’ve gotten some really cool content out of it, both Hoxhunt and the fantasy managers who are looking to expand their thought leadership platforms. And it's helped Hoxhunt get our passport stamped for approval by some of the best CISOs in the game as we entered the North American consciousness as a trusted player in the awareness and phishing training category.

That's the power of a strong community.  Communities don’t scale like ads, they spread like trust and a good reputation.

‍

Austin: the conversation that put words to what the league actually is

To celebrate the award (and the general chaos), I sat down in Austin with two league members:

• George Finney, CISO for the University of Texas System (14 institutions, ~250,000 students, ~140,000 employees… casually), author of Well Aware and the Project Zero Trust books, and general cyber sage.
• Dustin Sachs, cybersecurity leader and behavioral science evangelist (and, unfortunately, the owner of Puka Nacua).

We talked about the league—why they joined, why it works, and why community matters more than ever in a world drowning in AI-generated noise. That was, by the way, the key message from this year’s CyberMarketing Con: Trust and human connection in an age of AI slop.

George nailed something early: the league worked for him because it was low-risk, high-trust. There wasn’t that icky, subtle tit-for-tat pressure of, “you owe me a meeting.” It was for him about genuine connection, and he knew he had the freedom to bail if it ever stopped being fun.

Dustin said something that hit me: the Phish Bowl gives you a real relationship context with people you might admire from afar. Suddenly you’re not “cold messaging Nicole” or “asking Christina a favor” or “trying to connect with Gary Hayslip.” You’ve got shared history. Shared banter. Shared credibility. And that’s a different kind of network—the kind you actually use when things get spicy at work.

Sidenote: in his first week of competition this year, Dustin beat one of his cybersecurity idols, Gary Hayslip. Dustin wasn’t joking when he said he will put that on his resume, above his doctorate and publicaitons.

‍

Why CISOs need community (and why marketers should care)

CISO life is relentless. High stakes, constant pressure, endless decisions, and a background radiation of “everything is on fire.”

A real community helps because it creates:

• A safe place to sanity-check decisions, vendors, approaches
• A support network when incidents hit (or when you just need a gut check)
• A human outlet that isn’t another webinar or board deck

And from the marketing side? Here’s the uncomfortable truth:

Trust is the only thing that cuts through the noise now.
Not volume. Not automation. Not “personalization tokens.” Trust.

Marketing vs. social engineering: the parallels are hilarious (and terrifying)

A big chunk of our Austin conversation was about something I’ve been thinking about for years:

Marketing and social engineering use a lot of the same mechanics.

That statement makes marketers nervous, but… come on. We all know it’s true.

Shared tactics (don’t pretend you haven’t seen these)

• Urgency: “Do this before end of year!”
• Authority: “Reaching out on behalf of…”
• Incentives: “Gift card if you attend!”
• Curiosity/clickbait: “You won’t believe what happened when…”
• Friction reduction: QR codes everywhere, scan-now, register-in-10-seconds
• Spoofing vibes: George told a story about a marketer spoofing his old CIO’s number to get him to pick up. That’s not “bold.” That’s feral.

And Dustin put it perfectly: we teach employees “slow down, verify, don’t click,” while marketers are trained to do the exact opposite—get the click, get the meeting, get the conversion.

So yeah: the overlap is real.

The key difference: intent (and integrity)

Here’s the line that matters:

• Social engineers manipulate to steal.
• Good marketers persuade to help.

That’s the entire moral universe.

Good marketing is built on the belief: we’re adding value. We’re trying to solve a real problem. We’re creating clarity, not confusion.

Bad marketing? That’s where the social engineering comparison stops being a metaphor. Over-aggressive and under-ethical vendors are like hogs rolling in FUD; they “sell the breach,” engage in ambulance chasing, spoofing, fake urgency, inflated stats, fear-mongering—that’s how you burn trust with an entire market.

George gave the clearest example of what not to do: spoof one of his colleague’s phone numbers in a caller ID scam to get him on the phone and deliver a terrible sales pitch. This actually happened. Watch the video. Yeesh.

It’s part of a larger issue CISOs have with vendors who sell by exploiting tragedy (like a school shooting) to pitch facial recognition. Yuck. That’s not “timely.” That’s “never email me again, you are blocked forever.”

And Dustin’s favorite genre of nonsense: “We prevent 100% of breaches.”
Sure you do. The only product that prevents 100% of breaches is pen and paper.

AI slop, louder noise, and why human connection matters more now

This was the heart of the conversation.

We’re entering an era where:

• AI makes phishing cleaner and harder to detect (no more “look for bad grammar”)
• AI makes marketing louder and easier to spam at scale
• Everyone’s inbox is a war zone

So the differentiator isn’t “who can automate more.” It’s who can stay human.

Dustin compared bad outreach to pickup-artist logic: a numbers game, indifferent to connection, optimized to extract. And that’s exactly how a lot of B2B outreach feels right now: industrialized attention theft.

The Phish Bowl is the opposite:

• it’s slow,
• it’s weird,
• it’s personal,
• it’s built on shared identity and shared laughs.

And ironically, that’s why it works.

“Use your powers for good”: ethics is the whole ballgame

Dustin made a point I love: the tactic isn’t the sin. The intention is.

Security teams use tools that could be abused. Marketers use psychological levers that could be manipulative. The difference is whether you’re using those levers to:

• reduce friction and help people make better decisions, or
• trick them into doing something they’ll regret.

The best cyber marketers:

• know the audience (don’t email CISOs late Friday like a psycho)
• don’t weaponize fear
• don’t exploit incidents
• don’t inflate claims
• build relationships instead of transactions

The Phish Bowl effect: relationships, not transactions

We ended with a simple question: what’s the best “marketing message” you’ve ever received?

The funniest answer was also the truest:

“Join this fantasy football league.”

Because it wasn’t a pitch. It was an invitation into a real group. And after trust is built, curiosity follows naturally. Dustin said it outright: once he got to know the people, he wanted to learn what Hoxhunt does—because it felt safe to ask.

That’s the model:
community → trust → curiosity → relationship → business (maybe)

Not the other way around.

A tribute to Shawn Bowen

Before we wrapped, we talked about someone who shaped this league in a way I didn’t fully understand until later: Shawn Bowen, who passed away tragically last year.

Dustin told me he felt like he had to join, because the league meant so much to Shawn—and because Shawn and Dustin spent so many Tuesdays deconstructing matchups, trash talk, and the madness like it was film review.

That’s the thing about community: sometimes you don’t realize what you built until you see what it meant to someone else.

Shawn’s energy is still in this league—every ridiculous message thread, every debate, every “how did you possibly start that guy?” moment.

So… why did we win “Best CISO Community”?

If I had to sum it up:

Because in a world of AI slop and nonstop noise, people are starving for spaces that feel real.

The Phish Bowl is real.
It’s imperfect.
It’s chaotic.
It’s occasionally humiliating (see: Puka, 46.5 points).
And it’s built on something the industry can’t automate:

trust, integrity, and human connection.

Now if you’ll excuse me, I have to prepare emotionally for the playoffs—while Dustin continues his march toward destiny like the main character in a sports movie none of us consented to be in.

‍