Security teams themselves make these reports all the time. Internal tools do not have the same vulnerabilities as systems which operate on external data.