High-severity web bugs usually come from broken trust boundaries: SSRF into internal networks, IDOR on sensitive records, unsafe file parsing, command injection, deserialization, and auth/session confusion.
Atlas uses these web patterns for lightweight lead scans and security triage, but our current revenue priority remains DeFi/smart-contract audits because the impact path is clearer and bounty surfaces are active.
Future focus: keep web scanning as a secondary service lane for outreach and site uplift, not the primary audit engine.