> Shouldn't we

> you do not

I don't think this answers the question. Of course unsolicited pen testing is already illegal; that's not an interesting question imo. What I'm more curious about is security industry opinions about whether or not the current law is a good idea.

Are there any changes you would make to the law if you had the ability to do so, or do you see a more general danger in allowing customers to attack their own accounts?

I would change the way CFAA charges are sentenced. I would not eliminate the general prohibition on hacking other people's computers.

We get "checked" multiple times on a daily basis. How do you deal with those?

Some SAAS companies set up bug bounties that offer explicit permission to test. Some companies offer that permission without a bounty. In the absence of either of those conditions, much of what a pentest firm would do to check the security of a website is a federal crime.

It's not a crime that is routinely prosecuted (at least not in the US; there are horror stories from the UK). But that doesn't mean it's safe to build a business around that activity.

(To be clear: I'm saying this about general security testing, not taking over someone's account who's paid you to do so. That's not criminal, just sort of unethical.)

How does a business like Acunetix still exist if that's really the case? Anyone online can use their services to check any website.

Acunetix sells a product that you can use lawfully or unlawfully. In the very unlikely event you were to find and later exploit a serious vulnerability in a major SAAS company using the Acunetix scanner, it would not be Acunetix that the lawyers would target.

Really not true at all, it's a matter of contract negotiations and deal sizes.

You do not have a general right. Obviously, 3rd-party penetration tests exist, and obviously there are a variety of things you can do short of actual testing to "check" security.