[borplk]

Just saying,

If he found the vulnerability without using Acunetix, why did he have to use Acunetix later to check if the same vulnerability has been fixed or not?

Couldn't he re-check using the same way that he initially found the vulnerability?

[jrogers65]

Perhaps he was using a wider net to see if there were any other problems which, given the level of (in)competence displayed by the techs working for the college, was a distinct possibility.

[thefreeman]

Exactly. Which is the definition of unauthorized penetration testing.