Automated Scanning vs. Human-Led Security Testing
Intruder.io has positioned itself as a "stop breaches before they start" platform since its founding in 2015. It combines vulnerability scanning, attack surface monitoring, and cloud security into a single dashboard aimed at lean security teams. With a 4.8 rating on G2 and over 3,000 customers, it has clearly found an audience.
We are not an Intruder competitor. We are a penetration testing firm. Our clients use Intruder and tools like it for continuous automated scanning, and then they hire us to do what those tools cannot: simulate real attackers, test business logic, chain vulnerabilities together, and find the issues that scanners structurally miss. That gives us a perspective most review sites lack. We see the Intruder reports alongside our own findings, and we can tell you exactly where the overlap ends and the gaps begin.
This is not a hit piece. Intruder does useful things. But it also has real limitations that its marketing does not advertise, and its pricing trajectory raises questions about whether the value proposition still holds. Here is what you need to know.
What Intruder.io Actually Does
Intruder is a cloud-based vulnerability scanner that runs automated checks against your external infrastructure, web applications, APIs, and cloud environments. It uses a combination of scanning engines, including components derived from OpenVAS and ZAP, to identify known vulnerabilities across your attack surface.
Core capabilities
- External infrastructure scanning. Intruder scans your internet-facing systems for missing patches, misconfigurations, exposed services, weak encryption, and known CVEs. It runs over 140,000 checks, which sounds impressive until you realize that number reflects signature count, not testing depth. Each check is a pattern match against a known vulnerability, not an attempt to exploit or verify it.
- Web application scanning (DAST). The platform crawls your web applications and tests for common vulnerabilities like SQL injection, cross-site scripting, and insecure headers. This is dynamic application security testing at a surface level. It catches the obvious issues that any competent scanner would find.
- Cloud security posture management. Intruder integrates with AWS, Azure, and Google Cloud to identify misconfigurations in your cloud environment. Exposed S3 buckets, overly permissive IAM roles, unencrypted storage, publicly accessible databases. These are real risks, and automatic detection of them has genuine value.
- Attack surface monitoring. The platform tracks your external assets and alerts you when something changes: new subdomains appear, services are exposed, or previously closed ports open up. This is useful for organizations that struggle with asset inventory, which is most of them.
- Emerging threat response. When a critical CVE drops, Intruder proactively scans your infrastructure for the specific vulnerability. This is a genuinely valuable feature. The window between CVE disclosure and exploitation is shrinking, and automated checks within hours of disclosure can catch critical exposures before attackers do.
- GregAI. Intruder's AI assistant that helps triage and prioritize findings. It provides remediation suggestions and helps reduce alert fatigue by contextualizing results. This is a reasonable use of AI, though the depth of analysis is limited by the underlying scan data.
What it does well
Credit where it is due. Intruder's onboarding experience is one of the smoothest in the vulnerability scanning space. The UI is clean. The initial scan setup is straightforward. And for organizations that have never run a vulnerability scanner before, the first scan report is genuinely eye-opening. It will find things you did not know were exposed, and that alone justifies the first month's subscription for many teams.
The emerging threat scanning is a real differentiator. Most scanners run on a schedule. Intruder pushes new checks for high-profile CVEs within hours. If Log4Shell happened tomorrow, Intruder would be checking your systems before your next scheduled scan. That speed matters.
The compliance reporting is also useful. Intruder generates reports mapped to SOC 2, ISO 27001, HIPAA, and PCI DSS controls. These are not audit-ready on their own, but they give your compliance team a structured artifact to work with rather than a raw vulnerability dump.
Intruder.io Pricing Breakdown
Intruder's pricing has changed multiple times since 2024, and the trend is consistently upward. Here is where it stands today.
| Plan | Price | Key Features |
|---|---|---|
| Essential | From $149/mo | External scanning, 1 scheduled monthly scan, 11,000+ checks, 2 users |
| Cloud | From $299/mo | Everything in Essential + cloud sync (AWS/Azure/GCP), weekly scans, smart recon |
| Pro | From $499/mo | Full features, internal scanning, unlimited scans, API access, SSL monitoring, unlimited users |
| Enterprise | Custom | Daily scans, asset discovery, dedicated CSM, hybrid pentest add-ons |
A few things to note about this pricing. Each target, meaning each application, server, or IP, requires its own license. A company with 10 external-facing servers and 3 web applications is paying for 13 targets, not one subscription. At the Pro tier, that is $499 per month minimum, and the per-target cost pushes it higher as you scale.
Users on G2 and Gartner Peer Insights have increasingly flagged pricing as a concern. Reviews from the past year describe Intruder as "more expensive than competitors" and "not startup-friendly." This is a meaningful shift from its earlier positioning as an accessible tool for small teams.
The per-target pricing model creates a perverse incentive. The more assets you discover you need to protect, the more you pay. This discourages the comprehensive asset coverage that good security requires. A platform that charges you more for having better visibility into your own attack surface is working against your security goals.
Where Intruder Falls Short
This is the section that matters most. Every vulnerability scanner has limitations, and Intruder's are not unique to it. But they are real, and understanding them is the difference between using the tool effectively and having a false sense of security.
No business logic testing
This is the single biggest limitation, and it applies to every automated scanner, not just Intruder. Business logic vulnerabilities are flaws in how your application works, not flaws in the code it is built with. Can a user modify their order total by manipulating a client-side parameter? Can they access another user's data by changing an ID in the URL? Can they skip a payment step by navigating directly to a confirmation page?
These are the vulnerabilities that cause real damage, the ones that lead to data breaches and financial loss. And no scanner can find them because they require understanding what the application is supposed to do, not just what it does. A scanner sees a form submission that returns a 200 status code and moves on. A human tester asks "should this user be able to submit this form with these values?" That question requires context that automation does not have.
Limited SPA and API coverage
Modern web applications are built as single-page applications with JavaScript-heavy frontends and REST or GraphQL APIs on the backend. Intruder's web scanning engine struggles with SPAs because it cannot fully render and interact with JavaScript-driven UIs the way a browser-based tester would. API endpoints that require authentication, specific request sequencing, or complex payloads are similarly undertested.
If your application was built in the last five years, there is a good chance it uses a frontend framework like React, Vue, or Angular talking to a backend API. Intruder's coverage of that architecture is shallow compared to what a manual penetration test would cover.
Asset discovery restricted to Enterprise
This is one of Intruder's most puzzling product decisions. Asset discovery, the ability to automatically find subdomains, services, and infrastructure you did not know about, is only available on the Enterprise tier. On Essential, Cloud, and Pro plans, you must manually add every target. You have to know what exists before you can scan it.
The entire value proposition of attack surface management is discovering assets you do not know about. Shadow IT, forgotten staging environments, developer test servers, acquired company infrastructure. These are the assets that attackers find and exploit because your team does not know they exist. Locking asset discovery behind the most expensive tier means the teams that need it most, smaller organizations with less visibility, cannot access it.
False positives from underlying engines
Intruder's scanning is built on top of established open-source engines including OpenVAS and ZAP. These are solid tools, but they produce false positives. Intruder adds a prioritization layer on top, and GregAI helps with triage, but the underlying signal-to-noise ratio is inherited. Teams that lack security expertise to distinguish real findings from false positives will waste time investigating issues that do not exist.
In our experience reviewing Intruder reports alongside our own pentest findings, approximately 15-25% of medium-severity findings in a typical Intruder scan are false positives or informational findings reported at a higher severity than warranted. That is not unusual for automated scanners, but it is a cost that is rarely discussed in pricing conversations.
No authentication bypass or privilege escalation testing
Intruder can check whether your login page is vulnerable to brute force or whether your session cookies lack secure flags. It cannot test whether your role-based access control actually works. Can a regular user access admin endpoints? Can a user in Organization A view data belonging to Organization B? Can an authenticated user escalate their privileges by modifying a JWT claim?
These are the authentication and authorization vulnerabilities that appear in nearly every penetration test we conduct, and they are invisible to automated scanners. The scanner does not understand your permission model. It does not know that User A should not be able to see Data B. It checks for technical vulnerabilities in the authentication mechanism, not logical flaws in the authorization model.
No chained vulnerability analysis
Real-world breaches rarely happen because of a single vulnerability. They happen because an attacker chains together three or four individually minor issues into a critical exploit path. An exposed internal API endpoint combined with a verbose error message that leaks database schema combined with a SQL injection in an admin-only parameter. Each one alone is a medium. Together, they are a critical path to your database.
Automated scanners test vulnerabilities in isolation. They report each finding as a standalone issue with a standalone severity. They cannot reason about how vulnerabilities interact. A penetration tester's value is exactly this: connecting dots that no individual scan check can see.
Intruder.io vs. Penetration Testing: What Each Covers
This is not an either-or decision for mature security programs, but understanding what each approach covers helps you invest appropriately.
| Testing Area | Intruder.io | Penetration Testing |
|---|---|---|
| Known CVEs | Strong (140k+ checks) | Covered as part of recon |
| Infrastructure misconfig | Strong | Covered in depth |
| Cloud misconfig | Good (AWS/Azure/GCP) | Covered with context |
| OWASP Top 10 (basic) | Partial (XSS, SQLi, headers) | Full coverage |
| Business logic flaws | Not covered | Primary focus |
| Auth bypass / privesc | Not covered | Extensive testing |
| API security (deep) | Limited | Full methodology |
| Chained exploits | Not covered | Core capability |
| SPA / JS-heavy apps | Limited | Full browser-based testing |
| Continuous monitoring | Yes (daily to monthly) | Point-in-time (quarterly/annual) |
| Emerging threat checks | Proactive (within hours) | On next engagement |
| Compliance reporting | Automated | Detailed pentest report |
The pattern is clear. Intruder excels at breadth and continuity. It checks a large number of known issues across your infrastructure on an ongoing basis. Penetration testing excels at depth and creativity. It finds the issues that require human reasoning, application context, and attack simulation that no signature-based check can replicate.
The verdict
Intruder is a monitoring tool, not a security assessment. It tells you whether your doors are locked. A penetration test tells you whether someone can pick the locks, find an unlocked window, or convince an employee to let them in through the front door.
Automated Scanner
- Known CVEs
- Missing patches
- Config issues
- Open ports
- Business logic
- Auth bypass
- Chained exploits
Penetration Tester
- Everything above
- Business logic
- Auth bypass
- Chained exploits
- Privilege escalation
- API depth testing
- Creative attack paths
Who Intruder.io Works For
Despite the limitations, there are specific scenarios where Intruder delivers real value.
Companies with zero vulnerability scanning today. If you have never run a vulnerability scanner, Intruder's first scan will almost certainly find issues worth fixing. Exposed services you forgot about, missing patches, misconfigured TLS, open ports that should be closed. Going from zero visibility to some visibility is the single highest-impact security improvement most companies can make.
Compliance checkbox needs. If your auditor requires evidence of continuous vulnerability scanning for SOC 2, ISO 27001, or PCI DSS, Intruder generates reports mapped to those frameworks. The reports are not a substitute for a penetration test, which your auditor will also require, but they satisfy the scanning control.
Small teams without dedicated security staff. If your engineering team is also your security team, an automated scanner provides baseline visibility that you would otherwise not have. It is not a replacement for security expertise, but it surfaces the lowest-hanging fruit.
Continuous monitoring between annual pentests. The strongest use case for Intruder is filling the gap between penetration testing engagements. Your pentest happens once or twice a year. Intruder watches your attack surface every day in between. New assets deployed, new vulnerabilities disclosed, configurations that drift. This layer of continuous visibility complements periodic manual testing well.
Who Intruder.io Does Not Work For
Companies that think scanning replaces pentesting. If your plan is to use Intruder instead of hiring a penetration testing firm, you are accepting a fundamentally incomplete security assessment. Automated scanning and manual testing cover different threat surfaces. One does not replace the other. Every compliance framework requires both.
Organizations with modern SPA architectures. If your application is a React or Angular frontend with a REST or GraphQL API backend, Intruder's web scanning coverage will be limited. You will get infrastructure findings, but the application-layer testing will miss the vulnerabilities that matter most.
Companies with complex API ecosystems. If your business runs on APIs, microservices, and service-to-service authentication, Intruder's scanning depth is insufficient. API security testing requires authenticated scanning, request chaining, schema analysis, and business logic validation that automated tools cannot provide.
Fast-growing startups watching costs. The per-target pricing model means your scanning costs grow with your infrastructure. A startup that goes from 5 targets to 50 targets in a year will see a corresponding increase in Intruder costs. Combined with the recent price increases, the total cost of ownership is harder to predict than the landing page suggests.
Intruder.io vs. Alternatives at a Glance
Intruder competes in a crowded market. Here is how it stacks up against other common options in the vulnerability scanning space.
| Feature | Intruder.io | Qualys VMDR | Tenable |
|---|---|---|---|
| Target Market | SMB / lean teams | Mid-market / enterprise | Mid-market / enterprise |
| Starting Price | ~$149/mo | ~$200/mo (per asset) | ~$3,500/yr (65 assets) |
| Asset Discovery | Enterprise tier only | Included | Included (ASM add-on) |
| Internal Scanning | Pro tier and above | Yes (agent-based) | Yes (Nessus agents) |
| Cloud Integrations | AWS, Azure, GCP | AWS, Azure, GCP + more | AWS, Azure, GCP + more |
| Integrations | 15+ | 50+ | 50+ |
| Ease of Setup | Very easy | Moderate | Moderate to complex |
| Best For | Getting started quickly | Enterprise vulnerability mgmt | Exposure management at scale |
Intruder's advantage is simplicity. It is easier to set up and use than Qualys or Tenable. Its disadvantage is depth and scale. Enterprise teams will outgrow it, and the per-target pricing becomes less competitive as your infrastructure grows.
What We Recommend
Here is the approach we recommend to our clients, and it is the same approach we would recommend to any organization trying to build a mature security posture.
Use automated scanning for continuous visibility. Whether it is Intruder or another scanner, running automated checks on a continuous basis catches the known vulnerabilities, misconfigurations, and exposed assets that change between manual assessments. This is table stakes for any security program. Pick the scanner that fits your budget and infrastructure, run it consistently, and actually fix what it finds.
Use penetration testing for depth. Quarterly or annual penetration testing by a qualified firm covers everything that automated scanning cannot: business logic, authentication bypass, privilege escalation, chained exploits, and creative attack paths that require human reasoning. This is where you find the vulnerabilities that actually lead to breaches, the ones that make headlines.
Use attack surface management for discovery. Continuous attack surface monitoring that discovers assets you did not know about, tracks changes to your external footprint, and alerts you when something new appears. This layer sits between scanning and testing. It ensures you know what you have before you try to secure it.
Do not confuse any single tool with a security program. Intruder is a tool. A penetration test is an engagement. An attack surface monitor is a service. None of them alone constitutes a security program. A security program is the people, processes, and technology working together to identify, prioritize, and remediate risk. Tools feed into that program. They do not replace it.
Our clients who get the best results use automated scanning for breadth, penetration testing for depth, and attack surface management for discovery. Each layer catches things the others miss. The cost of all three together is still a fraction of a single data breach, which averages $4.88 million in 2025 according to IBM.
The Bottom Line
Intruder.io is a competent automated vulnerability scanner with a clean UI, fast onboarding, and genuinely useful emerging threat detection. It is a reasonable choice for small to mid-size teams that need to get continuous scanning running quickly without enterprise complexity.
It is not a penetration test. It is not an attack surface management platform on lower tiers. It is not a complete security assessment. And its pricing trajectory raises legitimate questions about long-term value as the per-target model scales with your infrastructure.
If you are evaluating Intruder, ask yourself two questions. First: what will this tool actually find that I cannot find with a free or lower-cost alternative? The answer is not nothing, the UI, prioritization, and emerging threat detection have real value, but it is worth quantifying before committing to a multi-year contract. Second: am I using this in addition to penetration testing, or instead of it? If the answer is "instead of," you have a gap in your security program that no scanner can close.
The companies that avoid breaches are not the ones with the most expensive scanning tools. They are the ones that understand what automated tools can and cannot do, and invest accordingly in both technology and human expertise.
Need What Scanners Cannot Provide?
Automated scanning catches known vulnerabilities. Penetration testing finds the business logic flaws, authentication bypasses, and chained exploits that scanners structurally miss. We deliver pentest reports ready for SOC 2, ISO 27001, and PCI DSS auditors.
