Penetration tests can obviously help harden a company's security profile, but are there any risks that stem from the pen tests themselves? Should companies place any limits on what a pen test can do?