I've had them confidently tell me they verified functionality by decrypting a TLS session even though that was impossible because I hadn't yet implemented a way to expose ephemeral TLS keys and there was no way to do it from the other side of the link.