Scanners Do Not Find Business Logic Flaws
Automated scanners are good at finding known vulnerabilities in known software. They check for outdated libraries, missing headers and common injection patterns. Every pentest firm runs them. The output is functionally identical regardless of who pushes the button.
The difference between a junior tester and a veteran is what happens after the scanner finishes. Business logic flaws, the vulnerabilities that actually cost companies millions, do not show up in automated scans. They require a human who has seen thousands of applications and understands how real attackers think.
Example from a recent engagement: A fintech application had passed two previous pentests from different firms. Both reported "no critical findings." We found that the password reset flow accepted any valid email address, generated a token and sent it to the provided email. The token was valid for any account, not just the one that requested the reset. This meant any user could reset any other user's password by intercepting their own reset token and replaying it against a different account. No scanner catches this. It requires understanding the application's intended behavior and testing whether the implementation matches.
Court-Admissible Documentation Is Not Optional
Most pentest reports are written for developers. They list findings, provide screenshots and suggest fixes. This is fine if nothing goes wrong.
When something does go wrong, when a breach occurs, when a lawsuit is filed, when a regulator comes knocking, you need documentation that holds up under cross-examination. You need a report that was written by someone who has actually been cross-examined.
Ryan Purita has been qualified as an expert witness in 7 court cases in British Columbia. His forensic reports have been entered as evidence in civil and criminal proceedings. Every pentest report from Sherlock Forensics is written with the same forensic rigor, because you never know which engagement will end up in front of a judge.
What court-admissible documentation looks like:
- Timestamped evidence collection with hash verification
- Clear chain of custody documentation
- Methodology section that can withstand Daubert or Mohan challenges
- Findings described in language a judge and jury can understand
- Separation of facts from opinions with explicit basis for each conclusion
A startup pentest firm might produce a clean PDF with colorful charts. A veteran produces documentation that survives a courtroom.
Auditor-Ready Reports Save You Months
If you are pursuing SOC 2, PCI DSS, ISO 27001 or any compliance framework, your pentest report will be reviewed by auditors. Auditors have specific expectations about scope, methodology, finding classification and remediation evidence.
A report that does not meet auditor expectations gets sent back. You either pay for a second pentest or spend weeks going back and forth trying to get the original tester to add the missing sections. We have seen this pattern dozens of times from clients who come to us after a failed audit.
What auditors expect that startup pentesters often miss:
- Explicit scope definition that matches the system description in the SOC 2 report
- Methodology section referencing industry standards (PTES, OWASP, NIST SP 800-115)
- CVSS scoring for every finding, not just "High/Medium/Low"
- Remediation verification (retest evidence, not just recommendations)
- Statement of limitations and exclusions
- Tester credentials and qualifications
Every Sherlock Forensics pentest report includes all of these elements because we know exactly what auditors look for. We have delivered reports for SOC 2 Type I and Type II, PCI DSS Requirement 11.3 and ISO 27001 Annex A.12.6. None have been rejected.
Three Appearances on CBC Marketplace Is Not Marketing
Ryan Purita has appeared on CBC Marketplace three times as a cybersecurity expert:
- November 2005: "Sc@mmed" - investigation into online scams and consumer fraud
- March 2007: "Can You Hack It?" - demonstrated vulnerabilities in consumer technology
- March 2010: "Who's Minding the Store?" - investigation into retail data security
He has also appeared on Global National with Kevin Newman, CTV Steele on Your Side, Breakfast Television CityTV and been quoted in the Globe and Mail Report on Business, National Post, Vancouver Sun and ComputerWorld Canada.
CBC does not invite people on national television without vetting their credentials. These appearances represent independent third-party validation of expertise, not paid advertising or self-published content.
Credentials That Actually Mean Something
Ryan Purita holds three of the highest certifications issued by ISC2, the world's largest cybersecurity professional organization:
- CISSP - Certified Information Systems Security Professional. The baseline certification for senior security professionals. Requires 5 years of experience and ongoing continuing education.
- ISSAP - Information Systems Security Architecture Professional. A CISSP concentration in security architecture. Requires demonstrated expertise in designing secure systems.
- ISSMP - Information Systems Security Management Professional. A CISSP concentration in security management. Requires demonstrated expertise in managing security programs.
Holding all three is uncommon. Most penetration testers hold OSCP or CEH, which are technical certifications focused on exploitation. The CISSP/ISSAP/ISSMP combination means Ryan understands not just how to break into systems but how to architect and manage the security programs that protect them. This perspective produces pentest reports that include strategic recommendations, not just a list of bugs.
What 20 Years of Pattern Recognition Looks Like
After two decades of security consulting, you develop an intuition for where vulnerabilities hide. You recognize architectural patterns that produce exploitable weaknesses. You know which questions to ask during scoping that reveal the real attack surface, not just the one the client thinks they have.
Patterns a veteran recognizes immediately:
- When a client says "we use JWT for auth" and you know to check for algorithm confusion, missing expiration and key leakage in client-side code
- When a multi-tenant SaaS uses sequential IDs and you know IDOR is almost guaranteed
- When a company built their app with AI coding tools and you know to check for hardcoded secrets, hallucinated dependencies and missing input validation
- When an e-commerce site processes payments and you know to test for price manipulation, coupon abuse and race conditions in checkout
- When a company has a "forgot password" flow and you know to test for account enumeration, token predictability and rate limiting bypass
A junior tester follows a checklist. A veteran follows the evidence.
The Bottom Line
You can hire a startup pentest firm and get a scanner output with a logo on it. Or you can hire someone who has been doing this since before most startup pentesters graduated high school.
Sherlock Forensics delivers penetration tests that find the vulnerabilities scanners miss, produce documentation that survives courtrooms and satisfy auditors on the first submission. Pricing starts at $1,500 CAD for a quick audit.