[vidarh]

Sometimes they will just be excessive because nobody applies any kind of critical thinking and/or because they favour looking like they find a lot over any kind of precision. I once had a site where they insisted on disabling ping responses for the website, citing it as a serious security concern. Because surely nobody would otherwise know that the very public website was there.

I replied with listing a number of websites of security focused organisations whose websites responded to ping, including assorted security services, military, and the pentesting company's own website.

(I didn't object to them querying what actually responded to the ICMP requests - none of them made it past the firewall, which is what replied and revealed nothing of our internal infra - I objected to them ignoring that answer and still insisting it revealed things it demonstrably didn't, and that lack of understanding was consistent through their report)

[IgorPartola]

I mean at that point isn’t the pushback “hey Management, this pentester is clearly incompetent. We need a new one.”?

[vidarh]

Yes, but with the problem that the pentester had been hired by our client and our client was a multibillion budget quasi-governmental organisation (transit authority) that was not inclined to listen because that'd involve mid-level managers sticking their necks out when they didn't need to and didn't know who was right.

So we did the British thing and went for a lot of passive-aggressive "oh, but how come it's ok for the CIA and your own website?" etc. to force them on the defensive and demonstrate that a lot of what they did was basically ticking pointless boxes.

We did manage to carve out some willingness in the client organisation to ignore bits and pieces as we clearly increased our credibility relative to the pen testers, but it was a massive pain.