Manual vs automated penetration testing.
Half the security industry sells scans dressed up as pentests. Here is what each one actually does, what only a human can find, and when the cheap automated option is genuinely the right tool.
Scanner vs manual test, side by side
| Automated scanner | Manual penetration test | |
|---|---|---|
| Finds known CVEs | Yes — this is what scanners are built for | Yes — scanners are one input, then a human verifies |
| Finds logic and access-control flaws | No — structurally cannot reason about intent | Yes — the core of the manual pass |
| False positives | Common; every export needs human triage | Near zero — every finding is verified by hand |
| Validates exploitability | No — flags patterns, not proof | Yes — findings come with evidence of real impact |
| Cost | Free to a few hundred dollars/month | Traditionally $5,000–$20,000+; Bug Circuit from $49 |
| Speed | Minutes to hours, runs continuously | Days — a person works through your application |
Notice the pattern: the scanner wins on speed and cost, the human wins on everything that decides whether a finding is real and whether your business is actually at risk. That’s why the two are complements, not competitors — more on when a scanner is genuinely the right tool below.
Five things only a human finds
1. IDOR between customer accounts
Change /invoice/1042 to /invoice/1041 and you’re reading another customer’s invoice. A scanner sees two valid pages returning 200 OK. A human knows invoice 1041 belongs to someone else — because a human understands what an invoice is.
2. Role escalation
A “viewer” account calls the admin API endpoint directly and it works, because authorization was only enforced in the UI. Finding this requires creating accounts at different privilege levels and deliberately crossing the lines between them — something no scanner does on its own.
3. Price manipulation in checkout
The client sends the price, quantity or discount code to the server, and the server trusts it. Set the quantity to -1, replay a single-use coupon, or tamper with the amount before the payment call. Scanners don’t buy things; humans testing your checkout do.
4. Authentication-flow bypass
Skipping the OTP step by requesting the post-verification URL directly, resetting another user’s password because the token isn’t bound to the account, or downgrading an OAuth flow. Auth flows are sequences with intent — exactly the thing pattern matching can’t model.
5. Chained low-severity issues
A verbose error message plus user enumeration plus a weak rate limit — three “informational” findings a scanner would bury on page 30 — combine into a working account-takeover path. Chaining is judgment. It’s the single clearest dividing line between a scan and a test.
Why sub-$1,500 “pentests” are usually scans
Traditional manual penetration tests average around $18,000, with common ranges of $5,000–$20,000 and enterprise engagements reaching $100,000+. Even the “small business” floor at traditional firms sits around $3,500–$4,000, because consultancy day rates and scoping overhead don’t shrink just because your site is small.
So when a large vendor advertises a $500–$1,500 “penetration test,” the economics only work one way: it’s an automated scan with a templated report and a logo on the cover. That’s not fraud exactly — scans have value — but calling it a pentest misleads buyers into thinking their logic and access control were tested when nothing of the sort happened. Three questions expose it: Who performs the testing? Are findings manually verified? Does the methodology cover access control and business logic? Vague answers mean scan.
So is a $49 manual audit real?
Fair question — it’s the same skepticism we just told you to apply to everyone else. Here’s the honest answer: yes, it’s real manual testing, and it works at $49 because of what we removed, not what we faked.
- Productized small-site scope. No discovery calls, no custom statements of work, no project managers. The scope is fixed to the attack surface a small website actually exposes — which is what makes the price possible.
- One senior tester, repeatable methodology. A human engineer works the same structured checklist on every engagement: recon, auth flows, access control between roles, input handling, logic in forms and checkout.
- Written, verified findings. Every issue in the report was reproduced by hand — severity, evidence, plain-English impact and the exact fix. No raw scanner exports, ever.
- Authorized and legal. Domain-ownership verification plus a recorded Authorization to Test before anything active runs, with a 14-day money-back guarantee before the audit begins.
And what it is not: a $49 audit is not a multi-week enterprise engagement. It won’t cover a sprawling multi-tenant platform, internal networks, mobile apps or formal compliance frameworks — and if your scope is genuinely that big, we’ll say so before taking your money. For a small business website, though, the flaws that matter live exactly inside this scope. See the full pricing breakdown for what each tier includes.
When automated scanning is the right tool
After all that, here’s the part scan-skeptics skip: automated scanning is genuinely useful — as continuous monitoring between manual tests. A new CVE drops in a library you use; a deploy accidentally removes a security header; an expired certificate slips by. Scanners catch these in hours, and no human re-tests your site every night.
The workable pattern for a small business: a manual audit to establish a verified baseline and kill the logic and access-control flaws, then lightweight automated checks in between to catch drift and newly disclosed issues. That’s how we run the Signal plan’s 3 months of cover — and you can start the automated side yourself for free with our free website security check and the free security tools in the store.
Common questions
Is a vulnerability scan the same as a penetration test?
Can automated tools find business-logic vulnerabilities?
Why do scanners produce false positives?
Is a cheap pentest just an automated scan?
Should I use a scanner or a manual pentest?
How much does manual penetration testing cost?
Keep reading
Start where every good test starts — free
Run the free passive check on your domain. No login, no scanner spam, no impact on your site.