I wish I could recall the name of a pen test company I worked with when I wrote my auth system... They were pretty great and found several serious issues.

At least compared to our internal digital security group would couldn't fathom, "your test is wrong for how this app is configured, that path leads to a different app and default behavior" it's not actually a failure... to a canned test for a php exploit. The app wasn't php, it was an SPA and always delivered the same default page unless in the /auth/* route.

After that my response became, show me an actual exploit with an actual data leak you can show me and I'll update my code instead of your test.