Offensive SecurityMay 14, 2026 · 5 min read

A scan is not a pentest

Automated scanners find what they are told to look for. Attackers do not read the rulebook.

Written by

Raptoric Offensive Security

LinkedInX / TwitterCopy link

A scanner is a checklist with a CPU. It is fast, cheap, and useful for catching the obvious. But it only finds the classes of bug it already knows, and it cannot chain three small flaws into one serious breach. Real attackers do exactly that, every day.

What the scan misses

Business-logic flaws are invisible to a scanner because they are not bugs in the usual sense, the code works as written. A scanner will not notice that changing one ID in a request hands you another customer’s data, because nothing crashed and no signature matched.

Authorization gaps that only appear when you act as the wrong user.
Multi-step abuse where each step looks legitimate on its own.
Logic you can bend, discount codes, rate limits, approval flows.

What a real test adds

A manual-first engagement starts from intent: what is this system worth to an attacker, and how would one actually take it? We use scanners to clear the noise, then spend our time where judgment matters. The deliverable is not a list of CVEs. It is an attack path, proven, with the evidence to reproduce it.

You do not get breached by the bug in the report. You get breached by the three the report never connected.

Want this tested on your own systems?

A senior engineer will scope it with you on a 30-minute call.

Book a scoping call

Keep reading

All insights →

01Security Program & Risk

NIS2 explained: who is in scope, what it requires, and the deadlines

Read →10 min read

02Offensive Security

How much does a penetration test cost?

Read →9 min read

03Offensive Security

Penetration testing services: what you actually get

Read →10 min read