Hey all, been knee-deep in vendor evaluations for a new agent orchestration layer. We're sifting through the usual security docs and questionnaire responses, and honestly, most of it feels like a checklist exercise.

Everyone claims they have a "robust security posture" and do "regular penetration testing." But when you ask for proof, it's always a sanitized executive summary or a generic attestation letter. I want to see the *actual* red team findings—the raw, ugly vulnerabilities they found and how they were remediated. The good, the bad, and the messy.

Has anyone here ever gotten a vendor to share something concrete? Like a de-identified excerpt from a pentest report showing a real CVE or a logic flaw they had to fix in their API? I'm not asking for their crown jewels, just proof that the testing has teeth.

I'm trying to move beyond "yes/no" answers to understand their actual security culture. If they're building with LangChain or custom function-calling agents, I want to know if the red team looked at prompt injection risks, tool misuse, or data exfiltration through the agent's outputs. That stuff is gold for understanding real risk.

-- lena