DRAFT — This article is in progress. Content is placeholder only.
Off-the-shelf security tools are built for the average case. They scan for known vulnerabilities, check common misconfigurations, and compare your systems against standardised benchmarks. That is useful — but it misses something critical for businesses running bespoke technology: the risks that are specific to your system, your architecture, and your business logic. Those risks do not appear in a CVE database, and no automated scanner will find them.
What generic security assessments cover — and what they miss
Most automated security tools work by pattern matching: they look for known vulnerability signatures, compare configuration against hardened baselines, and flag deviations. This is genuinely useful for catching common mistakes. What it cannot do is understand your system. It does not know that your platform anonymises genomic data before sharing it with researchers, or that your payment integration has a custom reconciliation step that creates a specific type of risk, or that three of your microservices share an authentication token in a way that creates an unusual attack surface.
The risk of assuming generic coverage is enough
Businesses that build custom applications tend to rely on their distinctiveness as competitive advantage. The same distinctiveness that makes your platform valuable is what makes generic security assessments insufficient. Your competitors might use the same cloud infrastructure and the same web frameworks, but your business logic is yours. And that is where the real risk often lives.
What a proper assessment of custom applications looks like
A good assessment of a custom application starts with understanding the system from the inside: what it does, who uses it, what data it handles, and what the business impact would be if different parts of it were compromised. That understanding then drives a structured threat assessment — working through who might want to attack it, what they could do, and how the system's specific design either helps or hinders them. The output is a prioritised view of risks that is specific to this application, not a generic list that could apply to any web platform.
Sector-specific considerations
Custom applications carry different risk profiles depending on the sector they operate in. A genomic data platform faces different regulatory requirements and different threat actors than an IoT device firmware stack. A financial services platform handling payment reconciliation has different compliance obligations than a government trusted research environment. A good assessment takes sector context seriously — the threat model of your system is shaped by who your adversaries are and what they want.
Questions to ask a potential assessor
When evaluating a security assessor, ask how they approach systems they have not seen before. The answer tells you a lot. A good assessor starts by understanding your business — not by running a scanner. Ask what their output looks like: if it is a long list of CVEs with no business context, that is a signal. Ask how they work with your team: the best assessments are collaborative, not delivered as a black-box report.
If you are building custom applications, a generic security assessment is not enough. The risks that matter most in bespoke technology are specific to your system — and finding them requires expertise in your architecture, your sector, and your threat model, not just a scanner pointed at a URL.
Jonny founded Threatplane in 2017. With a background in offensive security, he has spent 15+ years helping organisations across defence, financial services, healthcare, and manufacturing understand and manage their technology risks.
Full bio →