The majority of data breaches are not caused by targeted attacks (i.e. by an attacker who has specifically chosen to target your company and its web applications). For the most part, hackers don't care who you are, they simply want control of your systems to perform bitcoin mining; host malicious content, or to stage further attacks against other parties.
These random and opportunistic attacks are made possible by tools such as 'Autopwn', which hackers use to search public databases to discover vulnerable systems and exploit them automatically. (The WannaCry ransomware randomly exploited systems all over the internet to spread its malware.)
That's why Intruder continuously checks all of your internet-facing systems from an unauthenticated perspective. We look for all those security misconfigurations, or known vulnerabilities that a hacker could exploit.
Of course, in some cases the bad guys can gain access to your web applications perhaps via public logins or malicious users. In this case, it also makes sense to check behind the login (also known as authenticated scanning) and ensure you don't have any weaknesses there either.
However, that's not something we offer at the moment, and the reason for that is two-fold:
The most serious weaknesses in web applications are often 'business-logic', which is intended behaviour that automated scanners would not understand.
A real world example might be – granting a user access to another user's shopping cart to see what they bought.
Many modern applications are Single-Page Applications and automated scanners find it challenging to work with these effectively.
That said, we do have our eyes set on solving these problems, so do check back. And in the meantime, if you are looking for a solution to help with authenticated web-app scanning, it might be worth reading about our consultancy services. Of course, if you have any further questions or queries, feel free to pop us a message via the chatbot.