When we speak about security regarding production platforms, we heavily rely on security scanners, many exist, and they all do a fantastic job in helping identify security issues (miss configurations, credentials, cve, ...).But as powerful as they can be, we should not blindly trust them anyway. There are parts of the picture that security scanners don't even know about, so how can they help us secure them? Throughout this talk, I am to share experiences about security scanners of all types, pros and cons, and most importantly, how to efficiently fill the gap and cover the complete picture of the production platform to provide the highest security level continuously.