Most penetration testing programs were originally designed to satisfy compliance requirements. Attackers, however, do not operate on compliance cycles. In this report, we reset outdated evaluation criteria, examine where legacy assumptions break down, and outline what matters now: exploitability, scale, attack-path chaining, fix validation, and responsiveness to actively exploited vulnerabilities.