>get sued a week later when a real hacker breaks into their system and the IT department notices a security flaw that would easily be addressed by first few staps in pen testing
Points out where working with me give no security guarantees, that they accept when agreeing to allow me to hack them, either in person, writing, or electronic communications, along with allowing the terms to change at any time, for any reason, without notice.
Pen tests aren't cheap. Even basic ones are ~$20k. There's only 2 types of companies that bother with them: ones that care about cybersecurity and ones that have to do it for compliance (PCI/CMMC/etc). Both will have some kind of IDS and a SIEM.
I'm pretty lazy, but I'd at least run a port scan so I have something to submit in a report. That takes a few minutes to run and can be scheduled to run daily so there's something in their logs.
That said, our audits always turn up something new (usually benign), so I'd be very suspicious of an "all clear" result.
Also, even without a prior pentest the admins should have a rough idea where problems areas are (or maybe even know them for a fact but cannot completely patch/disable them to not lock out legacy systems or so). A completely empty report would definitely raise suspicions
LOL. I wish it was that easy. Also, if you say you did a pen test bjt didn't, then the client gets hit through an exploit you said you checked or should have checked for, you and your company are done.
Not how that works. They will go after the company and individuals. You can bet that fraud charges will be filed with the police and don't think that wire fraud with the feds is out of the question.
At least do some auto scans with WebCheck, Shodan, nmap + vulnerability scans and some basic OSINT on their boss so you can report something and at least spook them a little bit.