One of our clients is forcing us to share a web penetration testing report. We do all kinds of security testing ourselves, but they wouldn't accept our reports. The client policy requires the vendors to share a third-party report. I spoke to a bunch of penetration testing companies. It seems they do basic tests and charge ridiculously high. My question is, is it worth doing web penetration testing? Has anyone found it helpful beyond the checklist need?