To add to this:
The scope of the scanner (or better the NASL scripts) is currently to find “known vulnerabilities in known software” (e.g. defined by CVEs, vendor advisories about vulnerabilities and similar).
Detection of “unknown” / not published vulnerabilities in unknown software (e.g. a custom API) is currently outside of the scope.
Taking the recent CVE-2022-40684 (Fortinet authentication bypass in the REST API of the products) as an example:
- The CVE-2022-40684 flaw is detected because there is a VT covering / actively checking exactly this flaw in the REST API
- Running the scanner against the same REST API won’t detect any additional currently unknown flaws in the REST API (e.g. missing authentication on a critical function, …)
For Nr. 2 a dedicated web application security scanner (WASS) and (depending on the flaw) additional manual work / evaluation is required.