No,

* which is why we don't charge billable hours to run off-the-shelf tools that our clients could just run themselves,

* I addressed why we don't "augment" with scanners downthread (shortened answer: it's a slippery slope to testers just running scanners),

* Our scoping and rates are dead square in the middle of the market, so if scanners are helping other firms deliver projects more cheaply than us, I don't think the savings are being passed along. (We also don't double- or triple- book consultants on multiple projects, and we don't pay overtime.)

I upvoted you, because while I thought that was a pretty snide way to ask the question, I sure am happy to get to say over and over again how our projects aren't just Burp Scanner results. :)

Well I don't want to turn this into a company-specific debate, so I'm just addressing the position that running burp's scanner or sqlmap is "low quality". I have a few issues with that position and your justifications.

I wouldn't bill a client for running a scan on them. I would start a scan and do manual testing at the same time, focusing on more intelligent attacks and understanding the application. By the time I am done, the scan would typically kill off a significant number of buggy parameters that I now don't have to test because I already know it's as vulnerable. For some projects, this can be quite substantial. Beyond creating a POC and documenting the issue, I now don't have to spend billable hours on all of that.

The fact that scans consistently find a lot of bugs tell you that clients aren't running tools themselves. They don't know the tools, don't understand the results, don't know how to use them beyond point-and-click. They don't know how to set up macros that validate the session and re-log in, etc.

Although it sounds good to say that they aren't paying you to just run a scanner, the reality is no other reputable testers are doing that either.

Yeah, it was a bit snide, but you were scoffing at testers who do use scanners, and I genuinely think not using them (properly) is a colossal waste of time

I wouldn't want to restate a whole bunch of points I made downthread (we think scanners degrade manual testing, we're not opposed to automation but instead only to automation that actually flags findings, we grind up the bones of candidates to fertilize the fungus we use for our pentest "trips", &c).

It would be fun to have this debate somewhere that wasn't 10 comments deep into an old thread.

I don't actually know you, or who you work for, so please don't think I could be calling you out as a bad tester. We just don't test with automated scanners. We're not the only shop that doesn't use scanners. It's just the way we work.