@5570b77c A bad pentest is the “checklist item” where there are strict guidelines about what’s in scope and what’s not. A good pentest has no limits. Attackers, REAL attackers, cheat. They don’t follow rules or guidelines, so if you are truly wanting to test to see what a real attacker can do, impose no limits. If you want to pass some audit that involves an accounting type firm doing an assessment with an off-the-shelf scanner, impose those non-realistic limits.