Scanners audit code. Attackers audit surfaces.

The category error

Most security tooling sold to engineering teams in 2026 operates on code. Static analysis reads code. Composition analysis reads dependency manifests. Secret scanners read repositories. Container scanners read images. Cloud-config checks read declared infrastructure.

This is excellent tooling. It catches a category of problem: things that are wrong in code that the team controls. The category is large, and the tooling is mature.

The category does not include what attackers actually look at first.

An attacker does not begin with the source. The attacker begins with the surface — what is published, what is indexed, what is fetched without authentication, what is recoverable from an artefact's history. The surface is downstream of the code. It is the residue the code left in the world. It is the dataset the team did not realise was a dataset.

This essay is about the gap between code-shaped tooling and surface-shaped reality, and why a Labs audit lives in the gap.

What is in the gap

Five categories of exposure that scanners typically do not catch, in approximate frequency order.

Historical artefacts. A scanner reads latest. The surface contains every tag the team ever pushed. The credential the team rotated out of the repository is still in tag prod-2024-08-15. The scanner does not read 2024-08-15. The attacker does.

Cross-namespace identity correlation. The leaked credential is on Docker Hub, in a namespace. The repository that consumes it is on GitHub, under a different organisation name. The deployment role is in AWS, with a third name. A scanner sees one namespace at a time. A surface audit reads the three together and finds the connection.

Indirect exposure through third-party manifests. A vendor publishes a public Docker image for their open-source product. The client builds on top of it for a private use. The vendor's image contains a token. The client's image inherits it. No scanner the client owns reads the vendor's image; the client does not consider the vendor's image part of their surface. The attacker does.

Sourcemap reconstruction. The production JavaScript bundle ships with a sourcemap that the team forgot to disable. The bundle reconstructs to original source — with comments, with feature-flag names, with internal API endpoint constants. No SAST tool reads the published bundle; SAST reads the source. The reconstruction is the exposure.

Public CI/CD residue. A workflow run from six months ago published an artefact ZIP that contains the full build directory, including the lockfile with proxy credentials. The retention default is 90 days; the run is still there at 80 days; the artefact is still publicly downloadable. No scanner reads workflow-artefact storage; the team does not consider it part of the surface.

Why scanners do not (and should not) cover this

The natural objection is: surely scanners should expand to cover the surface.

Two reasons they have not, and probably should not.

1. The surface is not a database, it is a graph. Scanner architecture optimises for "read this artefact, apply rules, emit findings." Surface audit optimises for "read these artefacts together, build the cross-reference, follow the chain, decide the impact." The cross-reference and the chain are the work. A scanner that tried to cover them would stop being a scanner and start being a consulting engagement with a UI in front.

2. The judgement cost is too high to scale. A finding in the surface is conditional ("if this credential is active and that role is what it claims to be, then..."). The conditionality requires reasoning, and the reasoning requires context the scanner does not have. A scanner that tried to express the reasoning would either produce mountains of low-confidence noise or hide the reasoning behind a confidence score that buyers cannot defend.

The reasonable architecture for this market is: scanners for code, audit firms for surfaces. The two compose. Neither replaces the other.

What this means for the buyer

If a CISO has a full scanner stack and zero surface audit, the question to ask is not "do my scanners cover everything." The question to ask is "what classes of exposure are not in the scanner's category at all." The answer is the list above plus the long tail.

A Labs Discovery Brief — 3 days, single surface, one critical finding documented in full — is calibrated as a diagnostic for this question. The output answers, for a specific organisation, whether the surface is currently producing exposures that the scanner stack does not see. If yes, the buyer has a real reason to commission a Board-Ready audit. If no, the buyer has a defensible "scanner coverage is sufficient" finding to bring to the board.

Both outcomes are useful. The diagnostic is honest about both.

Where the "AI replaces audit firms" pitch fails

The market has a recurring pitch: a large-language model can read the entire surface and produce the same audit a firm produces, at a fraction of the cost.

The pitch is partially correct. An LLM can read a surface. It can find candidate exposures. It can produce a draft impact statement.

What an LLM cannot currently do, in our experience running four of them every day against this work:

• Stop at the right rung on the evidence ladder. LLMs over-claim when reasoning produces a plausible chain that turns out to be wrong on inspection.
• Hold the line against probing. LLMs offered the option to "verify" a credential will accept the option enthusiastically. The discipline of "never test" is not a model capability; it is an engagement discipline.
• Sign an attestation. The legal weight of a signature requires a named human professional who is reachable, accountable, and who can be sued. LLMs cannot be sued. They can be retrained.

This is why Labs sells AI-Alliance Challenging as a protocol — a structured way to use LLMs to make the founder's audit better — rather than as an AI audit firm. The framing matters. An AI audit firm is a category that does not exist yet, regardless of marketing language to the contrary.

What this argues for

A reasonable CISO budget allocation for external-surface risk in 2026:

• 70 % scanner-stack tooling (SAST, SCA, secret scanning, container, CSPM)
• 20 % surface audit (a Board-Ready audit annually, or Continuous Assurance if regulated)
• 10 % red-team / authorised offensive testing (separate provider, separate contract)

The proportions vary by industry and risk profile. The structure is stable: scanners are necessary and insufficient; surface audit closes a real gap; red-team validates the closure under authorisation.

If the current allocation is 100 % scanner-stack and 0 % surface audit, the buyer is currently uncovered against the most common adversary first-step. That is the diagnosis. The treatment is a 3-day brief.