"Authenticated scans do not find real vulnerabilities". That is something a lot of people tell me. They claim authenticated scans do not reproduce real world scenarios since an attacker wouldn't have an account with management privileges.
I usually answer to this by telling people the remote scan is still performed when authentication is enabled. I need some stronger arguments to convince people... Might anybody help me proving that authenticating doesn't make the scan results "unreal"?