[athenot]

> Do these scanners ever work?

Yes they do. But you have to have a process to triage what the scanners produce, and have a team whose job it is to keep the ops/dev side accountable.

They are quite useful when scanning all the internal parts of a datacenter. There's a fair amount of nitpicking but it helps weed out the obvious (like installing some open source package which defaults to some bad cipher for SSL, or leaving internal links unencryped under pretext that it's "safe behind the firewall").

Often, though, the issues flagged by the scanner trigger deeper conversations about security. That's where the real value is, but that requires an organizational culture that actually cares about security. Instead, many companies just throw money at the problem of "security" and consider the scanner will fix all their issues with zero effort.