Auto Alpha Security · Case file
A done-for-you web-application security scan that reproduces every confirmed finding against your live site — then hands you the proof, mapped to the frameworks your auditors use.
- false positives
- 0false positiveson confirmed findings
- frameworks
- 4frameworkscited per finding
- operator
- 1operatorownership-verified
Unauthenticated remote code execution
GET /api/spawn?command=id- › payload sent
- › uid=0(root) gid=0(root)
- › baseline: no signature
- › negative control: passed
Illustrative — real findings from our sample scan · hover to pause, click to inspect
You’re already required to protect this data. Can you prove you do?
POPIA §19 requires any business handling personal information to take “appropriate, reasonable technical measures” — and to check they actually work. A security test is how you show it.
And it’s not only the regulator asking. Increasingly it’s your bank, clients, and insurerwho want proof your app has been tested before they’ll sign, fund, or cover you. A confirmed scan is that proof.
Over 2,300 data-breach notifications were reported to South Africa’s Information Regulator in 2024/25 — enforcement is shifting from reactive to proactive.
How a finding earns the word Confirmed.
Every finding starts as a lead. Only the ones we can reproduce against your live site — with a clean baseline and a passing control — ever reach your report. Here’s that path, scrubbed against a real finding from our sample scan.
A lead is raised.
A scanner flags a possible command injection on a request parameter. On its own, that's a guess — most tools would hand it to you exactly here, unproven, mixed in with the false positives.
- request
- GET /api/spawn?command=id
- target
- — pending
- baseline
- — pending
- control
- — pending
Evidence is gathered.
We send the payload against your live site and read the response. The signature of code execution is present — root's user id comes back. That's evidence, not yet proof: we still have to rule out a coincidence.
- request
- GET /api/spawn?command=id
- target
- uid=0(root) gid=0(root)✓ signature present
- baseline
- — pending
- control
- — pending
The finding is confirmed.
We re-run it against a benign-control baseline where the flaw shouldn't fire, and a negative control that should fail. The baseline stays clean, the control passes, the exploit reproduces. Now it's Confirmed — with the proof attached, so you can re-run it yourself.
- request
- GET /api/spawn?command=id
- target
- uid=0(root) gid=0(root)✓ signature present
- baseline
- benign-control · no signature✓ absent
- control
- negative control✓ passed
- CWE-78
- OWASP A03
- MITRE T1190
- NIST PR.PS
Illustrative — from our sample report against a public test app
You authorise it. We do the rest.
No tool to install, no scanner output to interpret. Four steps, start to report.
Scope & authorise
We confirm you own the domain and agree a written scope and authorisation. No scan runs without it.
We test your live site
We actively test your application from the outside — the way an attacker would — paced so it won't disrupt you.
We confirm what's real
We reproduce every genuine vulnerability, remove the false positives, and score it. You get proof, not guesses.
Report & debrief
You receive an Auto Alpha Advisory report and a 30-minute call to walk the findings and prioritise the fixes.
Operator-run, not an unattended bot pointed at the internet — one of the reasons the findings are trustworthy and the scan is safe to run against a live site.
What we test — and, just as plainly, what we don’t.
A scope you can trust is worth more than a claim you can’t. The limits are in every report we deliver.
Covered — external, black-box
- Confirmed SQL injection & XSS, with proof-of-concept
- SSRF & cloud-metadata exposure
- Remote code execution & command injection
- Security-header & TLS posture
- Vulnerable client-side libraries & exposed secrets
Not covered — needs source or a manual test
- Server-side secrets in your environment
- Supply-chain / dependency analysis (needs your repo)
- Business-logic flaws (need source or manual testing)
- A full authorisation matrix beyond the two-identity add-on
- If you need a PCI/SOC 2 manual pen test — we'll tell you
POPIA §19 doesn’t require a manual pen test — a confirmed scan is right-sized evidence for it. If your requirement specifically calls for a manual test with a signed attestation, we’ll tell you.
Why trust a report from us?
01
We prove it, and show our work.
Every confirmed finding is reproduced against your live site, with the evidence attached — you can re-run it yourself. Most scanners hand you one blended list with the false positives buried inside.
02
Built to close your obligation.
Findings are mapped to MITRE ATT&CK, NIST CSF, OWASP and CWE, and framed around POPIA §19 — a document you can hand over and close the item.
03
One accountable operator, not a black box.
Every scan is run by hand, under written authorisation and proven domain ownership — never an unattended bot pointed at the internet. You know exactly who tested your app, and how.
04
Honest about the limits.
We tell you what we don't test, we don't claim to find everything, and we price it in the open. The vendor who tells you what they can't do is the one worth trusting.
Run personally by Matt Owen. Auto Alpha Security is the web-security practice of Auto Alpha Advisory.
See the report before you buy it.
The same format you receive: exec summary, confirmed findings with proof-of-concept, CVSS, framework references, and the scope-and-limitations section. Judge the work before you buy it.
Download the sample report (PDF) ↓Unauthenticated remote code execution
GET /api/spawn?command=id → uid=0(root)Reproduced against the live target; absent in benign-control baseline.
Illustrative — generated against BrokenCrystals, a public test app. We never reuse a client’s data.
How a Deep Scan compares.
You have a few honest options — and a Deep Scan isn’t always the right one. Here’s where each fits, including where the others beat us.
| Manual pen test | Enterprise DAST scanner | Cheap SaaS scanner | Free / DIY tools | ★ Auto Alpha Security | |
|---|---|---|---|---|---|
| What it is | A human tester attacks your app by hand | A platform your team runs continuously | A subscription you point at your own site | Open-source scanners you run yourself | A done-for-you confirmed scan + report |
| Who operates it | The firm's testers | Your security team | You / your developer | You (needs real skill) | We do — you just authorise it |
| What you get | A deep report + human judgement | A dashboard of findings to triage | A dashboard of alerts to triage | Raw tool output | A reproduced-proof report + 30-min debrief |
| False positives | Low (human-checked) | Real, despite the marketing | Real, despite the marketing | High — you filter them | Removed before you see the report; confirmed tier is 0-FP by design |
| Framework mapping | Usually | Sometimes | Rarely | No | Yes, every finding |
| Typical price (SA) | R35,000 – R360,000+ | ~R126,000 / year+ | ~R1,000 – R3,000 / month | R0 (+ your time) | R8,000 – R20,000 / scan |
| Turnaround | Weeks (+ booking queue) | Continuous, once set up | Continuous, once set up | However long you have | Days |
| Best for | Deep, business-logic testing; PCI/SOC 2 sign-off | Large teams scanning 50+ apps | Dev teams gating their own CI/CD | Engineers who can operate them | An SMB that needs POPIA evidence, done for you |
| POPIA §19 fit | Yes (overkill for the need) | Yes (if you can run it) | Partial (no compliance report) | You'd build the report | Right-sized — that's what it's for |
Choose a manual pen test when
you need business-logic depth, or a standard (PCI-DSS, some SOC 2 audits) requires a certified human tester. They go deeper than any scan — ours included.
Choose an enterprise scanner when
you have an in-house security team and dozens of apps to scan continuously. Mature and broad — and R126,000+ a year.
Choose a cheap SaaS scanner when
a developer will wire it into your pipeline and act on the results. Cheapest continuous scanning — but you filter the false positives and explain the findings yourself.
Choose free tools when
you have the security skills in-house. A Deep Scan runs the same open-source scanners — what you'd build yourself is the expertise around them.
Choose a Deep Scan when
you don’t have a security team, can’t justify a R100,000 pen test for a POPIA obligation, and need trustworthy evidence — done for you — that your web app has been tested. That’s the gap we’re built for.
Transparent pricing, in rand.
No quote-gate, no sales call to learn what it costs. Most competitors won’t show you a number; here’s ours. Final price within each band depends on the size and complexity of your application.
Deep Scan · once
R8,000 – R20,000
- Full scan of one web application
- Confirmed findings, triaged — 0 false positives on confirmed findings
- AAA-branded PDF report with PoC + remediation
- MITRE ATT&CK / NIST CSF / OWASP / CWE references
- 30-minute debrief call
Audit Add-on · once
+R5,000 – R10,000
- Bolts onto an existing AAA AI-Readiness Audit
- Same confirmed-findings report
- Combined remediation roadmap
Monitoring Retainer · monthly
R2,500 – R5,000/month
- Quarterly re-scan
- New-finding alerts
- Remediation tracking
For comparison, a scoped manual web-application pen test in South Africa starts around R35,000 and runs well past R150,000. A Deep Scan is a fraction of that — because it’s automated-first and done for you, not sold by the day. Every package is operator-run, ownership-verified, and covered by a written scope and authorisation before anything is tested.
Questions, answered honestly.
How is this different from a scanner I could buy for a few hundred rand a month?
A cheap scanner gives you a dashboard and a stream of alerts to interpret yourself. We run the scan, reproduce each real vulnerability, remove the false positives, map everything to the frameworks your auditor uses, and hand you a finished report plus a debrief. You authorise it; we do the rest. The scanner is a tool — this is the outcome.
Is this a penetration test?
No — and we won’t pretend it is. A manual penetration test puts a human tester on your app to chase business-logic and chained flaws, and it’s genuinely deeper. It also costs R35,000 to R360,000 and takes weeks. A Deep Scan is an automated-first, confirmed vulnerability assessment — right-sized evidence for a POPIA §19 obligation, in days, at a fraction of the price. If you specifically need a manual pen test for PCI-DSS or SOC 2, we’ll tell you.
You're running open-source tools. Why not just run them myself?
You could — the tools are free, and we don’t hide that we use them. The work is what happens after the scan: reproducing each finding, removing the false positives, scoring and mapping them, and producing a report your auditor accepts. That’s expertise and time most small teams don’t have in-house. If you have a security engineer who can do it, you don’t need us.
R8,000 sounds low for a security assessment. What's the catch?
There isn’t one — it’s cheaper because it’s automated-first and done efficiently, not sold by the day like a manual engagement. Every confirmed finding comes with proof you can re-run yourself, so you’re not taking the price on faith.
Will POPIA actually penalise a business my size?
Honestly, there’s no case yet of a small business being fined specifically for web-app security — enforcement so far has focused on government departments and large organisations. But POPIA §19 does require you to take reasonable technical measures, and increasingly it’s your bank, your clients, and your insurer who want proof. This is that proof, before someone makes it a condition.
Will the scan break or slow down my live site?
It’s paced and WAF-aware, run by an operator rather than an unattended bot, and only ever after you’ve proven ownership and signed a written authorisation. We agree timing with you first.
You're new — why should I trust the report?
We’re a new, focused service and we don’t pretend otherwise. Judge us on the work: download the full sample report, see the reproduced proof for every confirmed finding, and check it yourself. Every finding is designed to be independently verifiable — that’s the whole point of proving them.
Request a scan.
Tell us about your application. We’ll follow up to scope and authorize — we never scan without your written authorization and proof of domain ownership. Requesting a scan doesn’t start one.