Re: Where do you draw the line?
This was a fair measure of testing, as physical access is also a core requirement for meeting any compliance and legal obligations.
As for Coalfire, they're a massive organisation you've never heard of, especially in the PCI-DSS world (They are the auditors for AWS).