Most white hat pen testers apply their trade under contract for security audits. A lot of companies, especially those that work for governments, have requirements to get security audits regurally. It is not outside the realm of reason to hire a company, lay out the rules of engagment, have them assign a team to try, try to break in, detail what they did and any vulnerabilities that were found.

The flip side is that these people are paid very very well to do this (especially people who will risk their skin on physicial security). They take a very “defense against the dark arts” methodology, the best way to teach people how to defend against attacks is to actually attack them and tell them where they messed up. For that reason, you get conventions like DEFCON where security experts from alphabet soup agencies, private sector, white, black and grey hats all meet to see what the others are doing. The presentations are a blast to watch, if you can undertand the arcane runes and rituals of the worlds best security wizards.