Annual penetration test conducted for compliance purposes - Standard scope (external network, basic web application) - Testing firm selected based on qualifications and price - Findings tracked in a spreadsheet - Some findings remediated before next annual test - Results reported to IT management