They dumped files containing in-house developed exploits onto the system and ran on-demand av scans.
I don't have a problem with the source of the exploits, and would point out that they claim to have run on-access scanning as well.

What I do have a problem with is that a lot of the "exploits" were only POCs and didn't have a payload, so they weren't actually trying to do anything threatening. Given the rapidity with which new malware or variants are being produced, I am hardly surprised that there aren't signatures or patterns for them............ behavioral analysis would seem to be the more effective way to go?

Another thing I noticed was that they used WinZip or whatever............ I am willing to bet that if I used my copy of UPX to pack the files it would be a different story

Basically all they appear to have done is "read" the files and it is unclear what would have happened if the "exploit" had attempted to write to the Registry, install an application, alter files, phone home, and so on?

I still maintain that a "vulnerability" is a function of the application and the correct approach is to patch it, not expect your security suite to protect you. Unfortunately I know far too many people who do not appreciate that subtlety.