I’m pretty lazy, but I’d at least run a port scan so I have something to submit in a report. That takes a few minutes to run and can be scheduled to run daily so there’s something in their logs.
That said, our audits always turn up something new (usually benign), so I’d be very suspicious of an “all clear” result.
Also, even without a prior pentest the admins should have a rough idea where problems areas are (or maybe even know them for a fact but cannot completely patch/disable them to not lock out legacy systems or so). A completely empty report would definitely raise suspicions
I’m pretty lazy, but I’d at least run a port scan so I have something to submit in a report. That takes a few minutes to run and can be scheduled to run daily so there’s something in their logs.
That said, our audits always turn up something new (usually benign), so I’d be very suspicious of an “all clear” result.
Also, even without a prior pentest the admins should have a rough idea where problems areas are (or maybe even know them for a fact but cannot completely patch/disable them to not lock out legacy systems or so). A completely empty report would definitely raise suspicions
Just copy some report from online and change a few characters. Easy to do on the toilet.