i wasn't thinking about pen-testing, but vulnerability-research, which seems to match that quote. but, you're right, gp is referring to "security scanning". i just feel like, even then whoever's running the research, should triage and validate results, before passing on to mgmt.