Why not reveal what sites/code this was tested on, so others can try to repeat? What was the false positive rate? Why didn't they compare results with commodity automated scanners like Burp or Zap?