[tptacek]

Some SAAS companies set up bug bounties that offer explicit permission to test. Some companies offer that permission without a bounty. In the absence of either of those conditions, much of what a pentest firm would do to check the security of a website is a federal crime.

It's not a crime that is routinely prosecuted (at least not in the US; there are horror stories from the UK). But that doesn't mean it's safe to build a business around that activity.

(To be clear: I'm saying this about general security testing, not taking over someone's account who's paid you to do so. That's not criminal, just sort of unethical.)

[goshx]

How does a business like Acunetix still exist if that's really the case? Anyone online can use their services to check any website.

[tptacek]

Acunetix sells a product that you can use lawfully or unlawfully. In the very unlikely event you were to find and later exploit a serious vulnerability in a major SAAS company using the Acunetix scanner, it would not be Acunetix that the lawyers would target.