Penetration tests are conducted only when triggered by an incident or compliance requirement - No regular testing cadence - Testing firm selected based on lowest price - Findings are addressed reactively (if at all) - No tracking of remediation status - Reports are filed and forgotten