[spydum]

I don't disagree on this, but the mentality of pentesting (as I have seen it conducted) is wrong. Typically a firm wants to find a way in, and snatch the Crown Jewels. Once they achieve that, the level of effort goes way down, and they often leave a lot of surface area unchecked.

Or maybe more succinctly: they are incentivized to find SOMETHING quickly, rather than EVERYTHING.

I think it can help if the testers are internal and not quite under the same time pressure / engagement limits though.