It’s always interesting when people say you don’t understand x,y,z.
I usually agree with them, professing to try us understand very little(this is a truth, so I’m on extremely solid ground here) and ask them to explain, then is as is normal with folk who tell people they don’t understand I’ll use Kipling’s six honest serving men or point out where there are tautologies/fallacies etc. Most of the time you can refine understanding together.
In this case the person who said that there was an absolute negation of exploits... well that’s hardly credible and to your point easily falsifiable. In fact it’s so unusual for a security conscious person to leave themselves open with a statement like that I’d be very interested in their rationale for this position.
You are right on the point. Having been an auditor for many years and having successfully prosecuted many frauds, I tend to be quiet and gather information until I feel comfortable in my assessment. I still lack a lot of knowledge of my system because I cannot access the documentation. More importantly, I am lacking knowledge of two important cultures: my employer's and my client's. Thanks for answering.