Most security audits we've been called in to second-opinion follow the same depressing pattern: a vendor runs an automated scanner, exports the report, slaps a logo on it, and bills six figures for a document that misses the issues an attacker would actually exploit.
The scanner tax
Automated scanners are excellent at finding the bottom 40% of security findings — out-of-date libraries, missing headers, weak ciphers. They cost almost nothing to run. They also miss everything that requires understanding your application's actual behaviour.
Real risks live in business logic. Can a customer move money between accounts that aren't theirs? Can a deactivated employee still authenticate via a stale API token? Can the password-reset flow be replayed against another account? Scanners cannot answer these questions because they don't know what your application is supposed to do.
What a serious audit looks like
A defensible security audit combines three layers:
- Automated scanning for the known-knowns — fast, cheap, comprehensive on common vulnerabilities
- Manual application review by an engineer who reads code and exercises real workflows
- Threat-model-driven testing targeting the specific abuses that would hurt your business most
The first layer takes a day. The second takes a week. The third can take two weeks per critical workflow. There's no shortcut.
Questions to ask your next auditor
"Show me a finding from a previous audit that a scanner could not have found on its own."
If they can't produce one, you're paying for the scanner tax.
