This is their first penetration test - No vulnerability management program exists - Patching is ad hoc - No security policies or they are outdated - Security team is one person (or zero) - "Compliance" is viewed as the goal, not as a baseline