Just idea.

I not sure what the way you want. Between Learn about the attacker or how to protect website. ( should to have both. )


1. On server site - If you want to protect website.  

use  application firewall  like  mod_security or NAXSI  OWASP  project  ( may be wrong name ). This by reduce risk from matric. 

Protect your user permission and  hardening system. Network host Segragrate and segmentation to reduce impact when occur.   


2. On server site - If you want to  learn how they hack. 

mostly they setup honeypot server and look behavior they use technic.   So you can learn how to hack with in simple way like OWASP project named 'owaspbwa'  to learn hacking. 



3. On server site - If you want to monitoring. 

Install host base security intrusion like OSSEC. to analyze from log. 



Mostly  attacker will analysis on client size  use man in middle proxy  or something like that ( Paros-proxy , Burpsuite etc. ).  to intercept communication  Otherwise download web site html to local or scan content insize for parameter usage. 


For security scanner may be give you a lot of fault-positive and not help must.  They have a lot more tool todo for fuzzy.  but it just tool will have advantage when you know about 'Power of The Sword'