My opinion: if your staging environment is **exactly the same** as production then it is valid to security test and expect the same results. But your staging environment is likely a test bed to flush out bugs that are hard to debug in production. Most staging environments run the same software as their production counterparts but the scale (number of servers, data centers, etc.), network rules and infrastructure is far different, to lessen the cost. Even a simple example of production spanning 3 data centers vs a single DC for staging is a large difference to an attacker, who is looking at surface area as part of their attack.