Vulnerability management and scanning systems combine a number of techniques to assess the risk faced by a business. The best way to check for the vulnerability is to actually probe the application. Custom Web applications, for example, will generally not be able to be assessed using a patch-level check. Exploitation, however, can result in system instability, a danger that causes many companies to be wary of active probes. By automating the exploitation process, a company can turn attack research into defense.”]
Source: https://www.darkreading.com/application-security/web-application-testing-using-real-world-attacks