Comment by swiftcoder

> companies should be categorically required to have an cyber audit

I work with a firm that has an annual pen test as part of its SOC2/GDPR/HIPAA audit, and it's basically an exercise in checking boxes. The pen test firm runs a standard TLS test suite, and a standard web vulnerability test suite, and then they click buttons for a while...

The pen test has never found any meaningful vulnerabilities, and several times drive-by white hats have found issues immediately after the pen test concluded