Why Automated Scanners Miss the Vulnerabilities That Actually Get You Breached

A green dashboard is a dangerous thing. You ran the scanner, it found a few medium-severity issues, you fixed them, and now everything reads "passed." It feels like security. Often, it's the opposite — a false sense of safety draped over the exact flaws an attacker will use.

What Scanners Do Well

They're genuinely useful, and ZeroSight360 runs them on every engagement. They're fast, cheap, and tireless at breadth: known CVEs in dependencies, missing security headers, default credentials, exposed services, common misconfigurations. For finding the low-hanging fruit at scale, nothing beats automation.

But the vulnerabilities that actually breach companies tend to live in the places a scanner structurally cannot reach.

The Four Classes of Flaw Scanners Miss

1. Business Logic Flaws

A scanner doesn't know what your application is for. It can't reason that a user who skips the payment step still gets the premium feature, that a coupon can be applied infinitely, or that an order can be cancelled and refunded after the goods ship.

These are flaws in intended functionality used in an unintended way — and they require a human who understands the business to even conceive of them.

2. Access Control Gaps Between Roles and Tenants

A scanner can test whether a page loads. It generally can't tell that user A can load user B's invoice by changing a number in the URL, or that a standard user can reach an admin function by calling the API directly.

Broken access control is consistently among the most common serious findings in real applications — and confirming it requires authenticating as multiple users and deliberately crossing boundaries.

3. Chained Vulnerabilities

Real attacks are rarely a single exploit. They're a chain: a low-severity information disclosure reveals an internal endpoint; that endpoint has a weak access check; that access yields a token; that token unlocks something serious.

Each link might be "low" or "medium" in isolation. A skilled tester assembles the chain and demonstrates the combined impact — which is the only impact that matters to an attacker.

4. Context-Dependent Severity

A scanner scores a finding by its technical signature. It doesn't know that this particular endpoint touches your most sensitive customer data, sits outside your WAF, and is reachable unauthenticated. Real risk is technical severity plus business context.