NotExecutable

And her argument that using a security guard or “entry-level person” as an attack vector is somehow not a valid stress test is complete garbage...

It's not just garbage, it's a dangerous sentiment.

In information security, people are at least on a surface level aware of social engineering. Most companies and institutions still don't act on that awareness, but denying the problem and blaming the "pentester" is just awful. It effectively creates an environment were that kind of attack works even better.

The proper response to being fooled like that is to give all your employees a 101 on social engineering and basic security protocol. And then you can get angry at the guy who did an unsolicited pentest, if you think that will do any good for you. (Spoiler: It won't)

Have you ever called 911? If so, what's the reason?

Bonus: What if an emergency happens in your office? At my workplace, we need to call the emergency number for our country (112 / 110). I guess you don't have to do that?