EXPLAINER | SECURITY TESTING
Updated 8 min read

Vulnerability Scan vs Penetration Test: The Actual Difference and When You Need Each

< $5K
Typical cost of a quarterly automated vulnerability scan for a small environment
$15K-40K
Typical cost of a professional external penetration test for a 50-100 person company environment
30%
Of high-severity vulnerability scan findings that are confirmed exploitable after manual penetration testing (varies by environment)
0
New vulnerability types discovered by automated scanners: they only find what is already in their database

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The vendor sales motion conflates vulnerability scanning and penetration testing constantly: because both involve looking for security weaknesses and both produce reports. They are fundamentally different activities that answer different questions, and buying one does not substitute for the other.

The right mental model: vulnerability scanning is reconnaissance. Penetration testing is the attack.

What a Vulnerability Scan Does

A vulnerability scanner sends probes to every system in scope, identifies the software and version running on each port, and compares that information against a database of known CVEs. The output is a list of potential vulnerabilities: systems and services that match patterns associated with exploitable conditions.

What scanning tools actually do:

  • Network port scanning (Nmap-style) to discover open services
  • Service and version fingerprinting to identify software versions
  • CVE database matching to flag versions with known vulnerabilities
  • Configuration checks for common misconfigurations (default credentials, weak cipher suites, missing security headers)
  • Compliance checks against benchmarks (CIS, PCI DSS, DISA STIGs)

What vulnerability scanning does NOT do:

  • Attempt to exploit any finding
  • Verify that a finding is actually exploitable in your specific environment (a software version may match a CVE but your configuration may prevent exploitation)
  • Chain multiple findings together to demonstrate real-world attack impact
  • Find logic flaws, business logic vulnerabilities, or application-specific weaknesses
  • Identify vulnerabilities that do not have a published CVE

What you get from a vulnerability scan: A report listing systems with potential vulnerabilities, sorted by severity (Critical/High/Medium/Low) based on CVSS score, with remediation recommendations. A good scan report gives you a prioritized patch queue. It does not tell you which items on that list would actually result in a breach if left unpatched.

When to scan: At minimum, quarterly for internet-facing assets. Monthly for high-risk environments. After every significant infrastructure change. Scans should be continuous for cloud environments where configuration changes are frequent.

What a Penetration Test Does

A penetration test is a human-led exercise where a skilled security professional: using the same tools and techniques as an actual attacker: attempts to compromise systems and demonstrate real business impact.

What a penetration tester actually does:

  1. Reconnaissance: Passive and active information gathering about the target (OSINT, DNS enumeration, service discovery)
  2. Scanning and enumeration: Running vulnerability scanners, but also manual investigation of discovered services
  3. Exploitation: Attempting to exploit discovered vulnerabilities: not just noting that they exist, but actually running the exploit and observing whether it succeeds
  4. Post-exploitation: Once initial access is achieved, attempting to move laterally, escalate privileges, and access sensitive data: demonstrating what an attacker could actually reach
  5. Reporting: Documenting every finding with: proof of exploitation (screenshots, captured data), the attack chain that led to it, and the business impact (what data was accessible, which systems were reachable)

What a penetration test confirms that a scan cannot:

  • Whether a vulnerability is actually exploitable in your specific configuration (a vulnerability scanner flags a CVE match; a pen tester runs the exploit and confirms it works or does not)
  • What an attacker can actually accomplish after exploiting a vulnerability (access to the file server, exfiltration of the customer database, lateral movement to other systems)
  • Chained attack paths: multiple low-severity findings that together produce a critical-severity outcome
  • Application-specific vulnerabilities (business logic flaws, authorization bypasses, insecure direct object references) that scanners cannot detect because there is no CVE for custom code

What you get from a penetration test: A report with confirmed, exploited findings, proof-of-exploitation evidence, and demonstrated business impact. The critical difference: every finding in a pen test report was confirmed to work. A vulnerability scan report contains findings that might work.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Types of Penetration Tests

Not all penetration tests are the same scope. Understand what you are buying.

External network penetration test: The tester has no prior knowledge of the internal network and attacks from the internet: simulating an external attacker. Scope is internet-facing assets: web applications, VPN endpoints, exposed services. This is the most common type for first-time pen tests.

Internal network penetration test: The tester is given internal network access (simulating a compromised insider or an attacker who has already breached the perimeter) and attempts to move laterally, escalate privileges, and reach critical systems. This type finds Active Directory weaknesses, internal service misconfigurations, and lateral movement paths.

Web application penetration test: Focused exclusively on one or more web applications. Tests for OWASP Top 10 (injection flaws, authentication weaknesses, authorization bypasses, XSS, SSRF, etc.) using both automated tooling and manual techniques. Required for any organization building software that handles sensitive data.

Social engineering test: Simulated phishing, vishing (voice phishing), and physical security tests. Assesses human and process controls rather than technical ones.

Red team exercise: A full-scope, multi-vector attack simulation that combines external network, internal network, social engineering, and physical access techniques in a coordinated campaign that mimics a sophisticated threat actor. More expensive, longer duration, and only valuable for organizations that have already addressed the findings from standard penetration tests.

The Correct Sequencing

Organizations sometimes ask whether to start with a vulnerability scan or a penetration test. The answer is scan first, always.

A penetration test performed against an environment with hundreds of unpatched vulnerabilities produces a report full of low-hanging fruit: the tester will compromise the environment in the first hour via a known-exploited CVE and never reach the interesting architectural weaknesses. You pay expert rates for a tester who spends their time on work an automated scanner could have flagged.

The correct sequence:

  1. Run a vulnerability scan across all in-scope systems
  2. Remediate all Critical and High findings (at minimum, Critical)
  3. Run a second scan to verify remediation
  4. Schedule the penetration test

With known-bad CVEs remediated, the penetration tester can spend their time on the findings that require human expertise: authentication bypasses, logic flaws, privilege escalation paths, and attack chains that automated tools miss.

Customer questionnaire context: When customers ask whether you have had a penetration test, they are asking about a human-led engagement: not automated scanning. 'We run quarterly vulnerability scans' is not an equivalent answer to 'we have a penetration test.' For high-value contracts and compliance requirements (SOC 2, ISO 27001, PCI DSS), the expectation is an annual penetration test by a qualified third party, in addition to ongoing vulnerability scanning.

Selecting a penetration testing vendor:

  • Ask for sample reports from prior engagements: the quality of the report tells you more than the sales pitch
  • Verify the testers hold OSCP, CEH, GPEN, or equivalent certifications
  • Confirm the engagement includes a retest (one free retest of critical findings after remediation is standard)
  • Clarify the rules of engagement: what systems are in scope, what exploit types are permitted, is denial of service testing included or excluded

The bottom line

A vulnerability scan identifies what might be exploitable by matching software versions against CVE databases. A penetration test confirms what is actually exploitable by attempting to exploit it, chain weaknesses together, and demonstrate real business impact. Scans are continuous: run quarterly at minimum. Penetration tests are annual for most organizations. Run scans first, remediate Critical and High findings, then schedule the penetration test. Do not substitute one for the other: they answer different questions and both are required for a mature security program.

Frequently asked questions

What is the difference between a vulnerability scan and a penetration test?

A vulnerability scan is an automated tool-based process that identifies systems matching known CVE patterns: it tells you what might be exploitable. A penetration test is a human-led exercise where a tester actually attempts to exploit vulnerabilities, chain weaknesses together, and demonstrate what an attacker could accomplish: it tells you what is exploitable and what the business impact is.

Do I need a penetration test if I already run vulnerability scans?

Yes. Vulnerability scans only find known CVEs and cannot confirm exploitability, discover logic flaws, or demonstrate attack chains. Penetration tests confirm which findings are actually exploitable in your specific configuration and show what an attacker can accomplish after initial access. Most compliance frameworks (SOC 2, PCI DSS, ISO 27001) require annual penetration tests in addition to ongoing vulnerability scanning.

What is the difference between a network penetration test and a web application penetration test?

A network penetration test focuses on external and internal infrastructure: network devices, servers, services, and Active Directory. It tests for unpatched CVEs, misconfigurations, and lateral movement paths. A web application penetration test focuses exclusively on your web application and API layer: OWASP Top 10 vulnerabilities, business logic flaws, authentication weaknesses, and authorization controls. Most compliance requirements (PCI DSS, SOC 2) specify which type is required depending on your infrastructure. Organizations with both a public web application and internal infrastructure typically need both.

How often should a company run vulnerability scans?

At minimum: run authenticated vulnerability scans weekly against all internet-facing systems and monthly against internal systems. PCI DSS requires quarterly external scans by an Approved Scanning Vendor (ASV). Increase frequency for internet-facing systems during periods of high CVE activity (e.g., when a major vulnerability like Log4Shell is disclosed). Continuous vulnerability assessment tools like Tenable.io or Qualys can scan continuously and alert on new findings within hours. Do not wait for a scheduled scan: when a critical CVE is published, check your asset inventory and scan affected systems immediately.

What should I do with penetration test findings after the test is complete?

Prioritize findings by risk: Critical and High findings (direct path to sensitive data or domain compromise) require remediation within 30 days; Medium findings within 90 days; Low and Informational findings in the next release cycle. Assign each finding to an owner with a due date. Track remediation in your vulnerability management system, not a spreadsheet. Request a retest from the penetration testing firm to confirm Critical and High findings are fully remediated. Store the penetration test report securely: it is a detailed attack roadmap and must be restricted to need-to-know personnel.

How do you establish a meaningful vulnerability management process when you have no dedicated security staff?

Vulnerability management without dedicated security staff requires automation and clear ownership rules. Start with asset discovery: use your MDM (Intune, Jamf) as the authoritative source for managed endpoints and your cloud provider's asset inventory for cloud resources. Enable vulnerability scanning on these asset sources using tools with built-in ticketing integration -- Qualys, Tenable, or Microsoft Defender Vulnerability Management can automatically create remediation tickets in Jira or ServiceNow when critical CVEs are detected. Define ownership rules in advance: operating system patches are owned by IT, application vulnerabilities are owned by the developer who owns the application, network device firmware is owned by network admin. Without clear ownership rules, findings sit unassigned. Set a policy that auto-closes vulnerabilities after 90 days with a documented exception rather than requiring manual closure of every finding -- this forces a decision without creating perpetual backlog. For cloud infrastructure: enable AWS Security Hub or Microsoft Defender for Cloud with automated remediation (auto-enable S3 block public access, auto-enable encryption at rest for misconfigured resources) to reduce the manual workload. Review the automated exception list quarterly with department heads rather than requiring security review of every individual finding.

Sources & references

  1. NIST SP 800-115: Technical Guide to Information Security Testing
  2. PTES: Penetration Testing Execution Standard
  3. OWASP Testing Guide

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.