Re: It is all about penetration testing
I've never heard of any institution that permits pen-testing of its actual deployed core infrastructure.
Really? Maybe they're just not telling you about it. Current employer does it, one before that I wasn't in a position to know, the one before that did it, the one before that did it,.. and that takes me back to 2005. (I know they did, because I commissioned them. One's a highly regulated FS firm, ditto previous, before that a provider of hosted services with many large corp and public sector customers.
What you do is to tell them about specific systems / IPs / hostnames considered production, and make sure they know to be extremely careful with them, and to make sure you monitor / supervise any progress they make.