The terms vulnerability scanning and penetration testing get used interchangeably, often by people selling one or the other. They describe genuinely different activities, with different costs, different deliverables, and different reasons to commission them.

What a Vulnerability Scan Actually Does

A vulnerability scan is an automated process. A scanning tool sends a series of probes against the target, compares the responses to a database of known issues, and produces a report listing what matched. The work is fast, repeatable, and relatively cheap.

What a Penetration Test Actually Does

A penetration test is a human-led exercise. A skilled tester examines the target, identifies potential weaknesses, attempts to exploit them, and traces what the consequences would be in practice. The deliverable is a report focused on impact.

Where the Two Differ Most

Scanners produce comprehensive coverage and miss nothing they have rules for. Penetration testers produce incomplete coverage by comparison, but find issues no scanner has rules for. A scanner might list two hundred medium-severity issues. A test might tell you that three of those, chained together, give an attacker domain admin in twenty minutes.

Expert Commentary

Name: William Fieldhouse

Title: Director of Aardwolf Security Ltd

“Clients sometimes ask why they should pay for penetration testing when their scanner already produces hundreds of findings every quarter. The answer is that the scanner shows them the noise. The test shows them the signal.”

When to Use Which

Scanning works as the day-to-day safety net. Run it continuously against everything you can reach, alert on anything critical, and feed the results into your patching process. Penetration testing works as the periodic deep look.

Why You Need Both

Skipping either creates a known gap. Scanning alone misses business logic flaws, broken authorisation, chained exploits. Testing alone, run only annually, leaves your environment exposed for months as new issues emerge.

Choosing Wisely

Talk to your provider about both services. Ask how they coordinate the two activities, how they integrate findings into your remediation process, and how they handle the transition from automated to manual work.