What a real security audit looks like

A checkbox audit produces a report that confirms you've done the expected things. It's not useless — those checks catch obvious gaps. But most real vulnerabilities are not in the checklist. They're in the business logic.

What we actually spend time on is understanding the system from an adversary's perspective: what is the highest-value action an unauthorized user could take, and what would it take to get there?