[debo_]

It's relatively common to have pen testers attack a cloned environment w/ sanitized data. This is especially true in cases where your policies (or those you've agreed to from customers) require you to present evidence that you are having a pen test done every X years.

[red-iron-pine]

access to live data for testing is also a compliance question -- as in, don't do it, and why are you doing it?

why are you not using cloned or dummy data?