APVISO AI Pentester for Websites
AI pentester that scans your web app like a real attacker
Start new thread
Apviso

How do you currently test your app for real vulnerabilities?

by

From what I’ve seen, most tools rely a lot on automated scans and predefined checks. In reality they often miss issues that only show up during real pentesting.

I’m curious how you approach this.

Do you use automated scanners, manual pentests, or a mix of both?
What frustrates you the most about the tools you use today?
Have you ever found a serious issue that your tools completely missed?

Would be great to hear real experiences from others.

113 views

Add a comment

Replies

Best
Michael Tichoň

I have never tested my apps, always relied on Laravel and was hoping that they make sure the app is secure. I had a chance to run test at apviso and was really impressed with the results. It tested even e-commerce functions such as adding products to cart and found some interesting "bugs" with out-of-range integer (e.g. it tried to add product to cart with 1000000000000000 qty). Cant wait for more features

Danny

When testing, I use a combination of both approaches. What bothers me most about automated tools is that they act like black boxes, and I have no control over exactly what was tested or how. That’s exactly why I prefer manual testing. The biggest pain point for me in testing is generally writing the report. I enjoy the testing itself, but the administrative work and the huge amount of time wasted on creating the report are a nightmare for me.

Pavel Hanuš

Honestly, relying purely on automated scans is a bit of a trap. They’re great for coverage and speed, but they only go as far as what they’re designed to look for.

From my experience, the real issues usually show up when you combine automation with actual thinking. Things like business logic flaws, edge-case abuse, or chaining multiple “low” findings into something critical that’s where manual testing (or at least guided testing) makes a huge difference.

What frustrated me the most with traditional tools is that they either:

  • give you tons of noise with little context, or

  • miss anything that’s slightly outside the OWASP checklist

I’ve seen cases where scanners reported “all good”, but a simple tweak in how the app handles input (like extreme values, unexpected sequences, or API misuse) led to pretty serious issues.

That said, I don’t think it’s about automated vs manual anymore. The interesting space right now is somewhere in between where automation is smart enough to simulate real user behavior and go beyond static checks, but still leaves room for deeper validation.

That’s where I’ve personally seen the biggest value.

Matěj Brožek

I usually use a mix, but honestly I trust manual testing way more. Automated scanners are fine for catching obvious stuff, but they miss anything that depends on real user behavior or business logic. What frustrates me most is that they make it feel like you’re “covered” when you really aren’t. Some of the more interesting issues I’ve found came from just trying weird edge cases or thinking through how features interact, not from any tool. So for me, scanners are just a starting point, the real value is in actually poking at the system and trying to break it.