BreachFix
All posts
2 min readBreachFix

A scan is not a pentest, and buyers can tell

pentestcompliance

There's a quiet bait-and-switch in the security market: a vendor runs an automated scanner, exports the PDF, and calls it a "penetration test." Auditors know the difference. Mature buyers know it too. If you're paying for security, you should know it as well, because you're often paying pentest prices for scan-quality work.

What a scanner actually does

A scanner like ZAP or Nuclei fires known checks at your app and reports anything that matches a signature. That's useful: it's breadth, fast and cheap. But it has two problems that matter:

  • False positives. Scanners flag things that look wrong but aren't exploitable in your context. Someone still has to verify each one.
  • No business logic. A scanner doesn't understand that user A should never see user B's invoice. It can't reason about your app's actual rules, so it misses the flaws that cause real breaches.

A raw scanner report is an input to a test. It is not the test.

What a penetration test adds

A real pentest is a human (increasingly, a human plus an AI agent) actively trying to break in and proving it. The deliverable isn't "this looks vulnerable." It's "here is the request, here is the data it returned, here is the account I took over." Each finding carries a working proof-of-concept and a severity you can trust.

That proof is the whole point. It's what lets you prioritize honestly, what an auditor accepts as evidence, and what turns "we should probably fix that" into "we fixed the three things that could actually hurt us."

Why the distinction is worth money

  • Auditors require validation. For SOC 2, HIPAA, or PCI, an assessor wants evidence a competent tester actually attempted exploitation, not a tool's guess.
  • Enterprise buyers read the report. When your customer's security team reviews your pentest to approve the deal, a repackaged scan is obvious and it costs you credibility.
  • You fix the right things. Unvalidated findings send teams chasing false positives while the real broken-access-control bug sits in production.

How to tell what you're buying

Ask one question: does every critical finding come with a reproduction? If the answer is a list of severities with no proof of exploitation, you bought a scan. If each serious finding has steps, a request, and evidence, you bought a test.

We lead with scanning because it's the fast, cheap first pass, then we prove what's real. The proof is what you're actually paying for.

Want us to check your app for this?

We prove what’s exploitable and hand you a clear report. Share your app and we’ll confirm scope.

Start an audit →