Ha.ckers.org posted a report from about tests conducted on web application scanners by a confidential programmer and compared how efficient the web applications code base can cover.
On many aspects, the report generated quite a stir. Recent reviews looked at a statistic that really compares scanners in a more quantifiable way. Some users commented that it is not right for vendors to assert that their web scanners were not made to be “point and shoot apparatus”. They even added that a human should be teaching the scanner to each web app that he is going to use. I think they have wronged the users by making that assumption.
A scanner should do as much as it can to work on its own and let humans do their own testing and help point testers to areas of interest.