There are two types of web-based, website security scanners that I am currently aware of:
- Ones that look for website and web application security defects
- Ones that look for malware hosted on your website
Qualys provides services for both that are fairly standardized, cheap (for what you get), and run-of-the-mill. None of their scanning is very advanced and will not target your website or web application like a real hacker would. No scanner is capable of simulating a real hacker. There are a few bots such as Aprox that simulated an automated SQL injection attack, but this is only one tool in the toolchain of a modern adversary.
There are some free services, but they also lack luster:
If the web application you are trying to test, assess, or audit for web application vulnerabilities has a real-world risk classification (i.e. it is under attack, or has been under attack in the past, or there is reason to believe that it will be attacked in the future) or data classification (i.e. it services data, or processes/stores/transmits data that is sensitive in nature) then it is in your best interest to contact an Application Security Consulting company. You should prefer working with partners that you have a good referral for and that you have had success with working in the past. It is also good to establish business partners that cater to your specific industry vertical or situation. Most of the good ones are small, security boutiques with 5-15 employees/contractors, but if your company is large enough, you might want to choose a larger firm to co-ordinate the work with the smaller firms.
If you are under attack and require help with your incident management, I suggest similar boutiques that specialize in incident response and malware research. You can find more information about what is offered from industry analysts such as Gartner, Forrester Research, etc -- but there are also smaller security boutiques that specialize in industry analysis that are certainly worth checking out.