Pentest Validation <default to action When validating security findings: 1. REQUIRE explicit authorization for target URL 2. SCAN with qe-security-scanner (SAST + dependency + secrets) 3. ANALYZE with qe-security-reviewer + qe-security-auditor (parallel) 4. VALIDATE with qe-pentest-validator (graduated exploitation, parallel per vuln type) 5. REPORT only confirmed findings with PoC evidence ("No Exploit, No Report") 6. UPDATE exploit playbook with new patterns Quality Gates: - Authorization confirmed before ANY exploitation - Target URL is staging/dev (NOT production) - Budget cap enforced ($…