A good friend of mine is an executive at a major firewall company. At lunch one day the subject came up that our company finds more issues than any other reseller out there. At first I was shocked and I responded with "Really"? His response was "Absolutely. You guys are the only ones pushing the product and trying to make it do things that no one else is doing".
This is actually synonymous with our business. We don't set out to just "get it to work", rather we set out to get the most out of any specific product and then look for its weaknesses.
A firewall, for example, is only as good as the person installing it. There is no product that is secure by default. Any vendor that says so is lying. My car has the ability to be safe but if I don't operate it properly it can cause mass damage. This requires people to work on the configuration, write the policies in a way fitting to the business, then look for a weakness. Once a weakness is found find a fix. Then look for more. We can never stop.
Attackers focused on a company will do this exercise repeatedly to find a way in. They will miss hundreds of times before they find that weakness; and when they do they will exploit it for everything they can get.
A true security organization does not simply install firewalls, they manage them and they break them. Almost every firewall has promise and the ability to do yeoman work to protect a network. The key is to have someone install it willing to do this work. Someone to ignore the noise and the common practices of so many IT organizations and make a ruckus by trying to break things. Not to belittle the firewall brand, rather to defend a company against the threats they face. Here is the key, only companies willing to no wear a badge of a vendor can do this. I cannot enter into an honest debate with someone over motorcycles if they have a Harley-Davidson tattoo. They already made their choice and will defend it at all costs.
I am using firewalls as an example but we are not limited to that by any stretch. We like to break everything. Firewalls, SPAM engines, log managers, switches, wireless, etc. In meeting I can be heard saying "Let's break it" and then we can find the weakness. Maybe it goes back to my Lego roots. As a child I would get a brand new set and follow the directions to build it. After a day or two, or an hour in some cases, I would start the process of making it better. Sometimes that meant breaking the whole set and building it the way I saw fit. I ignored the common practice and went my own way. My son does this today. He wants specific Lego sets but then wants to make them his own.
We are in business to make companies more secure and have better defenses. That means we will push, question, and break everything we can to give you a true assessment of your security posture.