Why pen testers need training similar to criminal investigation

In a real-world black box type pen test you never know what you are going to come up against as every one of these tests may present different challenges. Conventional training cannot really adequately prepare for really any type of pen testing because unknown examples cannot be taught. The successful pen tester needs to develop the mindset of the criminal investigator.

Lets take a look at some conventional training examples: www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi‎.   This Windows XP exploit appears in virtually every pen testing training available.
So you are OK if your black box pen test is testing an old XP system that has not been patched for this vulnerability.  What if this is not the case?  Other training examples:  given a URL and given two usernames, and given that the password consists of all lower case letters abc but the correct password contains 5 alpha characters of the abc combination such as aaabc, abbbc, cccca, etc.  The challenge is to find the correct username and password to be able to login to the challenge website.  The training shows how to use the tools, "crunch" and Burpsuite and perhaps some other tools to solve the challenge.  But, how many times in a pen test are you given this much information not to mention such weak passwords?  I think you get the drift of training available and the challenges actually representing what you will face in the "real world."

So what does criminal investigation have to do with pen testing?   Training in criminal investigation procedures would help to develop the investigator mindset that every criminal case and therefore every pen test is unique and you start from ground zero. You begin by assuming nothing and everything is suspect.  Then you start eliminating avenues to pursue.  You gather facts, not assumptions.  You use the facts to arrive at the most reasonable and probable conclusions that the facts point to.  Despite the ease of hacking passwords and the ease of getting a "shell" in pen test training demos, this is not the case in the real world.  That is why it is necessary to approach each pen test like you are, in fact, investigating a criminal case. And, training in criminal investigative techniques can surely help a pen tester be successful.