No. Just about anything without the asset owner's consent is unlawful. Only approved testing with published permission is compliant.Such as, in 2020, a major retail chain hired an moral hacker who found a important vulnerability within their payment processing technique. By addressing this c