Skip to main content

Auto Alpha Security · Case file

A done-for-you web-application security scan that reproduces every confirmed finding against your live site — then hands you the proof, mapped to the frameworks your auditors use.

false positives
0false positiveson confirmed findings
frameworks
4frameworkscited per finding
operator
1operatorownership-verified
Live — the confirmation, running
Finding queue4/6 confirmed
Verdictagainst live site

Unauthenticated remote code execution

GET /api/spawn?command=id
  • payload sent
  • uid=0(root) gid=0(root)
  • baseline: no signature
  • negative control: passed
Confirmed· CVSS 9.8CWE-78OWASP A03MITRE T1190

Illustrative — real findings from our sample scan · hover to pause, click to inspect

Exhibit 01 / 10Why now

You’re already required to protect this data. Can you prove you do?

POPIA §19 requires any business handling personal information to take “appropriate, reasonable technical measures” — and to check they actually work. A security test is how you show it.

And it’s not only the regulator asking. Increasingly it’s your bank, clients, and insurerwho want proof your app has been tested before they’ll sign, fund, or cover you. A confirmed scan is that proof.

Over 2,300 data-breach notifications were reported to South Africa’s Information Regulator in 2024/25 — enforcement is shifting from reactive to proactive.

Request a scan →obligation, not fear
Exhibit 02 / 10The confirmation

How a finding earns the word Confirmed.

Every finding starts as a lead. Only the ones we can reproduce against your live site — with a clean baseline and a passing control — ever reach your report. Here’s that path, scrubbed against a real finding from our sample scan.

1/3Lead

A lead is raised.

A scanner flags a possible command injection on a request parameter. On its own, that's a guess — most tools would hand it to you exactly here, unproven, mixed in with the false positives.

Reproduction record1/3
request
GET /api/spawn?command=id
target
— pending
baseline
— pending
control
— pending
2/3Evidence-backed

Evidence is gathered.

We send the payload against your live site and read the response. The signature of code execution is present — root's user id comes back. That's evidence, not yet proof: we still have to rule out a coincidence.

Reproduction record2/3
request
GET /api/spawn?command=id
target
uid=0(root) gid=0(root)signature present
baseline
— pending
control
— pending
3/3Confirmed

The finding is confirmed.

We re-run it against a benign-control baseline where the flaw shouldn't fire, and a negative control that should fail. The baseline stays clean, the control passes, the exploit reproduces. Now it's Confirmed — with the proof attached, so you can re-run it yourself.

Reproduction record3/3
request
GET /api/spawn?command=id
target
uid=0(root) gid=0(root)signature present
baseline
benign-control · no signatureabsent
control
negative controlpassed
  • CWE-78
  • OWASP A03
  • MITRE T1190
  • NIST PR.PS

Illustrative — from our sample report against a public test app

Exhibit 03 / 10How it works

You authorise it. We do the rest.

No tool to install, no scanner output to interpret. Four steps, start to report.

01

Scope & authorise

We confirm you own the domain and agree a written scope and authorisation. No scan runs without it.

02

We test your live site

We actively test your application from the outside — the way an attacker would — paced so it won't disrupt you.

03

We confirm what's real

We reproduce every genuine vulnerability, remove the false positives, and score it. You get proof, not guesses.

04

Report & debrief

You receive an Auto Alpha Advisory report and a 30-minute call to walk the findings and prioritise the fixes.

Operator-run, not an unattended bot pointed at the internet — one of the reasons the findings are trustworthy and the scan is safe to run against a live site.

Exhibit 04 / 10Scope — stated plainly

What we test — and, just as plainly, what we don’t.

A scope you can trust is worth more than a claim you can’t. The limits are in every report we deliver.

Covered — external, black-box

  • Confirmed SQL injection & XSS, with proof-of-concept
  • SSRF & cloud-metadata exposure
  • Remote code execution & command injection
  • Security-header & TLS posture
  • Vulnerable client-side libraries & exposed secrets

Not covered — needs source or a manual test

  • Server-side secrets in your environment
  • Supply-chain / dependency analysis (needs your repo)
  • Business-logic flaws (need source or manual testing)
  • A full authorisation matrix beyond the two-identity add-on
  • If you need a PCI/SOC 2 manual pen test — we'll tell you

POPIA §19 doesn’t require a manual pen test — a confirmed scan is right-sized evidence for it. If your requirement specifically calls for a manual test with a signed attestation, we’ll tell you.

Exhibit 05 / 10Why us

Why trust a report from us?

01

We prove it, and show our work.

Every confirmed finding is reproduced against your live site, with the evidence attached — you can re-run it yourself. Most scanners hand you one blended list with the false positives buried inside.

02

Built to close your obligation.

Findings are mapped to MITRE ATT&CK, NIST CSF, OWASP and CWE, and framed around POPIA §19 — a document you can hand over and close the item.

03

One accountable operator, not a black box.

Every scan is run by hand, under written authorisation and proven domain ownership — never an unattended bot pointed at the internet. You know exactly who tested your app, and how.

04

Honest about the limits.

We tell you what we don't test, we don't claim to find everything, and we price it in the open. The vendor who tells you what they can't do is the one worth trusting.

Run personally by Matt Owen. Auto Alpha Security is the web-security practice of Auto Alpha Advisory.

Exhibit 06 / 10The deliverable

See the report before you buy it.

The same format you receive: exec summary, confirmed findings with proof-of-concept, CVSS, framework references, and the scope-and-limitations section. Judge the work before you buy it.

Download the sample report (PDF) ↓
Deep Scan Report
CONFIDENTIAL
Client
ConfirmedCVSS 9.8 · Critical

Unauthenticated remote code execution

GET /api/spawn?command=id → uid=0(root)
CWE-78OWASP A03MITRE T1190

Reproduced against the live target; absent in benign-control baseline.

Remediation

Illustrative — generated against BrokenCrystals, a public test app. We never reuse a client’s data.

Exhibit 07 / 10How we compare

How a Deep Scan compares.

You have a few honest options — and a Deep Scan isn’t always the right one. Here’s where each fits, including where the others beat us.

Comparison of a manual pen test, enterprise DAST scanner, cheap SaaS scanner, free/DIY tools, and Auto Alpha Security’s Deep Scan across price, findings, framework mapping, and POPIA fit.
 Manual pen testEnterprise DAST scannerCheap SaaS scannerFree / DIY tools★ Auto Alpha Security
What it isA human tester attacks your app by handA platform your team runs continuouslyA subscription you point at your own siteOpen-source scanners you run yourselfA done-for-you confirmed scan + report
Who operates itThe firm's testersYour security teamYou / your developerYou (needs real skill)We do — you just authorise it
What you getA deep report + human judgementA dashboard of findings to triageA dashboard of alerts to triageRaw tool outputA reproduced-proof report + 30-min debrief
False positivesLow (human-checked)Real, despite the marketingReal, despite the marketingHigh — you filter themRemoved before you see the report; confirmed tier is 0-FP by design
Framework mappingUsuallySometimesRarelyNoYes, every finding
Typical price (SA)R35,000 – R360,000+~R126,000 / year+~R1,000 – R3,000 / monthR0 (+ your time)R8,000 – R20,000 / scan
TurnaroundWeeks (+ booking queue)Continuous, once set upContinuous, once set upHowever long you haveDays
Best forDeep, business-logic testing; PCI/SOC 2 sign-offLarge teams scanning 50+ appsDev teams gating their own CI/CDEngineers who can operate themAn SMB that needs POPIA evidence, done for you
POPIA §19 fitYes (overkill for the need)Yes (if you can run it)Partial (no compliance report)You'd build the reportRight-sized — that's what it's for

Choose a manual pen test when

you need business-logic depth, or a standard (PCI-DSS, some SOC 2 audits) requires a certified human tester. They go deeper than any scan — ours included.

Choose an enterprise scanner when

you have an in-house security team and dozens of apps to scan continuously. Mature and broad — and R126,000+ a year.

Choose a cheap SaaS scanner when

a developer will wire it into your pipeline and act on the results. Cheapest continuous scanning — but you filter the false positives and explain the findings yourself.

Choose free tools when

you have the security skills in-house. A Deep Scan runs the same open-source scanners — what you'd build yourself is the expertise around them.

Choose a Deep Scan when

you don’t have a security team, can’t justify a R100,000 pen test for a POPIA obligation, and need trustworthy evidence — done for you — that your web app has been tested. That’s the gap we’re built for.

Exhibit 08 / 10Pricing

Transparent pricing, in rand.

No quote-gate, no sales call to learn what it costs. Most competitors won’t show you a number; here’s ours. Final price within each band depends on the size and complexity of your application.

Deep Scan · once

R8,000 – R20,000

  • Full scan of one web application
  • Confirmed findings, triaged — 0 false positives on confirmed findings
  • AAA-branded PDF report with PoC + remediation
  • MITRE ATT&CK / NIST CSF / OWASP / CWE references
  • 30-minute debrief call
Request a scan

Audit Add-on · once

+R5,000 – R10,000

  • Bolts onto an existing AAA AI-Readiness Audit
  • Same confirmed-findings report
  • Combined remediation roadmap

Monitoring Retainer · monthly

R2,500 – R5,000/month

  • Quarterly re-scan
  • New-finding alerts
  • Remediation tracking

For comparison, a scoped manual web-application pen test in South Africa starts around R35,000 and runs well past R150,000. A Deep Scan is a fraction of that — because it’s automated-first and done for you, not sold by the day. Every package is operator-run, ownership-verified, and covered by a written scope and authorisation before anything is tested.

Exhibit 09 / 10Questions

Questions, answered honestly.

How is this different from a scanner I could buy for a few hundred rand a month?

A cheap scanner gives you a dashboard and a stream of alerts to interpret yourself. We run the scan, reproduce each real vulnerability, remove the false positives, map everything to the frameworks your auditor uses, and hand you a finished report plus a debrief. You authorise it; we do the rest. The scanner is a tool — this is the outcome.

Is this a penetration test?

No — and we won’t pretend it is. A manual penetration test puts a human tester on your app to chase business-logic and chained flaws, and it’s genuinely deeper. It also costs R35,000 to R360,000 and takes weeks. A Deep Scan is an automated-first, confirmed vulnerability assessment — right-sized evidence for a POPIA §19 obligation, in days, at a fraction of the price. If you specifically need a manual pen test for PCI-DSS or SOC 2, we’ll tell you.

You're running open-source tools. Why not just run them myself?

You could — the tools are free, and we don’t hide that we use them. The work is what happens after the scan: reproducing each finding, removing the false positives, scoring and mapping them, and producing a report your auditor accepts. That’s expertise and time most small teams don’t have in-house. If you have a security engineer who can do it, you don’t need us.

R8,000 sounds low for a security assessment. What's the catch?

There isn’t one — it’s cheaper because it’s automated-first and done efficiently, not sold by the day like a manual engagement. Every confirmed finding comes with proof you can re-run yourself, so you’re not taking the price on faith.

Will POPIA actually penalise a business my size?

Honestly, there’s no case yet of a small business being fined specifically for web-app security — enforcement so far has focused on government departments and large organisations. But POPIA §19 does require you to take reasonable technical measures, and increasingly it’s your bank, your clients, and your insurer who want proof. This is that proof, before someone makes it a condition.

Will the scan break or slow down my live site?

It’s paced and WAF-aware, run by an operator rather than an unattended bot, and only ever after you’ve proven ownership and signed a written authorisation. We agree timing with you first.

You're new — why should I trust the report?

We’re a new, focused service and we don’t pretend otherwise. Judge us on the work: download the full sample report, see the reproduced proof for every confirmed finding, and check it yourself. Every finding is designed to be independently verifiable — that’s the whole point of proving them.

Exhibit 10 / 10Request a scan

Request a scan.

Tell us about your application. We’ll follow up to scope and authorize — we never scan without your written authorization and proof of domain ownership. Requesting a scan doesn’t start one.

Do you own / control this domain?

Ownership proof and a signed authorization are required before any scan runs — this protects both of us.