In this case study, we examine a multinational technology company that approached our team of security experts to perform a closed-box penetration test against their complex web application. The client, having previously received annual penetration tests from an external PTAAS (Penetration Testing as a Service) provider, expressed concerns about the quality of findings and their relevance to driving actual security improvement. The focus was on identifying vulnerabilities that had real-world significance, rather than low-impact findings.