MicrosoftJamesKehr Sadly it doesn't surprise me at all... There are a lot of so called "pentesters" who don't even know how to run a vulnerability scanner properly, let alone actually understand how the systems they're looking at function. Vulnerability scanners have all kinds of problems that need to be worked around, for instance the common scanner Nessus won't report if it can't resolve a target (ie you mistype the hostname) it just won't appear in the report. If a host resolves to multiple addresses only one gets scanned and the others are silently ignored. Many scanners will silently ignore IPv6 - not scanning it at all, but also giving you absolutely no warning that your site has an AAAA record which hasn't been touched. Many scanning and pentest companies will also ask for IP addresses as targets, but a lot of protocols (especially HTTP or SSL) often need the correct hostname (eg HTTP/1.1 virtual hosting) in order to reach the hosted content, if you only know the ip you will miss lots of things.
They get away with it because pentest reports are "by exception", ie if you receive an empty pentest report does it mean your network is very secure? Or does it mean the tester did a poor job? This combined with a race to the bottom, clients demanding ever cheaper pentest services and in many cases actually wanting an empty report (it gives them less work to do if theres nothing they need to fix).
If you have a spare few minutes, take a look at http://simplectf.ev6.net - this is a very simple capture the flag, meant to test basic networking knowledge rather than any specialist techniques. Many pentesters fail to get all or some of the challenges, yet someone with a good experience of networking and no pentest experience got them all in 20 minutes.
