[tptacek]

You haven't published the reports, scope, and full findings. We don't even know what Trail was testing. I don't think the security audit stuff matters at all, and Trail is a fine firm, but you can't use the mere existence of a pentest project this way.

[amilich]

Any security engineer would have a heart attack if any employee, friend, or colleague said "security audit stuff [doesn't] matter." I wouldn't use software that doesn't undergo security audits.

Also, pentest ≠ audit. Completely different!

[tptacek]

I am a security engineer. You can go reach out to whoever managed your assessment at Trail and ask them about me by name if you like. What you're saying doesn't make sense. Maybe you could make it make sense! But you'd need to start by disclosing what the actual project scopes for each of these projects was.