Comment by drewcoo

Yes, and . . .

Yes, it's pretty scammy. Yes, if you know what you're doing, you know what they'll find. And charge you for what you already know.

But it's a tool. As a principal/staff-level IC or as a low-level manager, you may run into problems convincing the higher-ups to address very real security concerns. So you may want to recommend such an audit. Because those newcomers are "experts" and their findings may sway upper management. Even if management pays you to be an expert, they're paying extra for new, extra expertise!