My gosh. Actually understand every cookie parameter, instead of running some tool to generate a list of obvious SQL injection vulnerabilities? Next they'll say they actually base64-decode every cookie too. How do they find time to sleep?

We automate lots of things. We just don't automate things that remove judgement from testers.

I've been a vuln researcher since 1995 and so have my partners. I was a lead dev on the industry's second commercial vulnerability scanner (Ballista), and Jeremy worked at ISS on the first. I think we know what we're talking about. Here is what we've learned: when you give a smart tester a tool that purports to find "low hanging fruit" vulnerability X, testers get worse at finding vulnerability X on their own. They subconsciously lean on the tool. They make assumptions about what kind of vulnerability the tool will find that they shouldn't waste time looking for. They gradually start getting worse at finding even the clever variations of X.

So the challenge is to find ways to eliminate drudgery (for instance, in comparing large numbers of responses from a web app to a run of different metacharacter input vectors across every parameter) without introducing things that degrade tester judgement.

Burp Intruder: Fine (though we do better internally for some things). Burp Scanner: Not Fine.

You've got me. I've only ever tested up to 49 dynamic forms, and only 42 insertion points.