In the regular market, no head of security wants to be responsible for a potential critical breach by hiring such a wild cannon.
Remember when a company’s head of security was fired and prosecuted for ordering a pentest against his own company, which is a normal thing that good heads of security do?