My point is that while they don’t believe they did a pen test, it’s very possible that their standard correctness testing of security related features was sufficient to meet a broad definition of the term.