Back to Insights

When a business owner or IT manager goes looking for security help, they usually come across two terms right away: vulnerability scanning and penetration testing. The way vendors describe them, they sound like close cousins — both involve probing your network for weaknesses, both produce a report. A lot of people assume they're basically the same thing at different price points.

They're not. The difference matters, and getting it wrong means either spending money on testing that won't satisfy your compliance requirement, or paying for continuous scans when what you actually needed was one solid pentest a year ago. This guide explains what each one does, where it falls short, and how to figure out which one applies to your situation.

What Vulnerability Scanning Actually Does

A vulnerability scanner is software. It connects to your systems, runs through a database of thousands of known security flaws, and flags any that it finds in your environment. The database gets updated regularly as new vulnerabilities are disclosed publicly — these are called CVEs (Common Vulnerabilities and Exposures), and they're the industry-standard way of tracking and naming known weaknesses.

When the scan finishes, you get a list. Every system it checked, every CVE it found, and a severity rating for each one. A good scanner will also suggest remediation steps — usually "apply patch X" or "upgrade to version Y."

What Scanning Finds
Known, Published Vulnerabilities

Examples of what a scanner reliably catches:

Scanning is fast, relatively cheap (most platforms run a few hundred to a few thousand dollars per year), and it can run continuously or on a schedule. That's the pitch: always-on visibility into your known risk exposure.

The keyword there is "known." Vulnerability scanners only find what's in their database. They work by pattern-matching — comparing what they see in your environment against a list of things that are known to be bad. Anything that isn't in the list, they miss. Anything that looks fine on the surface but isn't, they miss. Anything that requires actually testing whether a weakness is exploitable, they miss.

A vulnerability scanner is like a spell-checker. It catches mistakes it already knows to look for. It won't tell you whether your argument makes sense.

What Penetration Testing Actually Does

A penetration test is a simulated attack conducted by a human. A tester — or a small team — spends days inside your environment doing what an actual attacker would do: mapping out your systems, finding ways in, and then seeing how far they can get once they're there.

The tester uses tools, yes, including vulnerability scanners as one input. But the work is manual and creative. They look at findings in context. They chain low-severity issues together to create a high-severity attack path. They try things the scanner doesn't know to check: weak passwords, overly permissive file shares, accounts with excessive privileges, trust relationships between systems that shouldn't trust each other.

What Pentesting Finds That Scanning Misses
Business Logic and Exploitation Context

Examples of what a skilled tester catches that a scanner won't:

That last point is worth sitting with. We regularly see environments where the scanner comes back relatively clean — most patches applied, nothing critical in the CVE database. Then a human tester spends a day inside and gets to the domain controller in a few hours using nothing but default credentials, an overpermissioned service account, and a trust relationship between two servers that someone set up for convenience years ago.

None of that would appear on a vulnerability scan report. All of it is real risk.

Side-by-Side Comparison

Factor Vulnerability Scanning Penetration Testing
How it works Automated tool compares your systems to a known-vulnerability database Human tester simulates a real attack, manually and creatively
What it finds Published CVEs, common misconfigs with known signatures Exploitable weaknesses, attack chains, logic errors, human factors
What it misses Anything not in the database, chained vulnerabilities, credential abuse Nothing inherent — depends on scope and tester skill
Typical cost $500–$5,000/year for a platform $3,000–$15,000+ per engagement (SMB range)
Time to complete Hours to a day 3–10 business days, plus reporting
Deliverable CVE list with severity ratings Narrative report with exploited paths, evidence, and remediation steps
Frequency Continuous, weekly, or monthly Annual minimum; more for regulated industries
Satisfies PCI/HIPAA/SOC 2 pentest requirement No Yes
Cyber insurance Helpful but not sufficient for most carriers Often required for renewal or higher policy limits

When You Need Vulnerability Scanning

Vulnerability scanning is ongoing hygiene. It belongs in your environment as a continuous check — not because it replaces testing, but because it catches known exposures between tests. If a critical patch drops on a Tuesday and your scanner runs weekly, you'll know about it before your annual pentest in November.

Use Scanning For
Continuous Patch and Exposure Monitoring

Most managed IT providers run some form of vulnerability scanning as part of their standard toolset. If yours does, that's good — it means you have baseline coverage. What it doesn't mean is that you've been tested.

When You Need a Penetration Test

There are four situations where scanning is not enough and you need a real pentest:

You've never had one. If your business has been operating for years and has never been through a penetration test, you have no objective picture of what an attacker can actually do in your environment. Scans might tell you your patches are current. They won't tell you that your IT team accidentally left an admin share open, or that your network is completely flat, or that your VPN accounts have never been audited. The first pentest usually finds things no one expected.

A compliance framework requires it. PCI DSS is explicit: annual internal and external penetration testing is required under Requirement 11.4, plus additional testing after significant infrastructure changes. HIPAA's Security Rule doesn't use the phrase "penetration test," but regulators and auditors treat periodic technical testing as part of the required risk analysis — and in practice, that means pentesting. SOC 2 Type II auditors increasingly expect it under CC7.1 and CC7.2. A vulnerability scan does not satisfy any of these. If your QSA or auditor is asking for pentest documentation, a scan report won't close that gap.

Your environment just changed. Cloud migration, office move, new ERP system, network redesign, acquisition integration — any of these creates new attack surface that your last pentest didn't cover. The right cadence is to test within 90 days of a major infrastructure change, regardless of when the annual cycle falls. We've seen post-migration environments where newly provisioned cloud storage was publicly accessible and no one knew because the scanner was only checking on-premises systems.

Cyber insurance requires it or your coverage depends on it. Carriers have gotten more specific. Many now require annual penetration testing — not just scanning — for policy renewal. Some ask for the actual report. Some price premiums based on testing frequency and documented remediation. If you're renewing soon and haven't had a test, that's worth addressing before your application goes in.

The Argument for Running Both

These aren't mutually exclusive. The realistic answer for most businesses is: run continuous or monthly vulnerability scanning as part of your baseline security operations, and layer in an annual penetration test for the depth of coverage that scanning can't provide.

Scanning keeps you current on patches and known exposures month to month. The pentest gives you a realistic picture of what an attacker could actually do — the kind of thing that only shows up when a human spends time deliberately trying to break in. Understanding what happens during a penetration test makes it easier to scope the right engagement and explain the value to leadership.

If budget forces a choice, the priority depends on where you are in your security maturity. A business that has never been penetration tested and has real compliance obligations should start there. A business with a recent pentest that's looking to maintain visibility between engagements should invest in scanning.

What to Ask Your Security Vendor

If you're evaluating options and a vendor is quoting you something, ask these questions directly:

The answers tell you exactly what you're buying. "Automated scanning with a report" and "manual penetration test with a human tester" are different products at different price points with different outputs. You want to know which one you're getting before you sign.

Frequently Asked Questions

Can a vulnerability scan replace a penetration test?
No. A vulnerability scan identifies known weaknesses by matching your systems against a database of published flaws. It does not attempt to exploit those weaknesses, chain them together, or find logic errors that tools cannot detect. A penetration test does all of that. Most compliance frameworks that require penetration testing will not accept a vulnerability scan as a substitute.
How much does a vulnerability scan cost compared to a penetration test?
Vulnerability scanning tools typically run $500 to $5,000 per year depending on the platform and the size of your environment. A penetration test for a small-to-mid-size business typically costs $3,000 to $15,000 for a scoped engagement. The cost difference reflects the difference in what each delivers: a scan produces a list, a pentest produces proof of what an attacker could actually do.
My IT provider runs monthly scans. Do I still need a penetration test?
Yes, if you have compliance requirements, cyber insurance obligations, or haven't had one before. Monthly scans are good hygiene and should continue. But they won't catch misconfigurations that aren't in a CVE database, stolen credentials being used legitimately, flawed access control logic, or the ways an attacker can chain low-severity findings into a serious breach. Those gaps require a human tester.

Not Sure Which One You Need?

We'll give you a straight answer in a 20-minute scoping call — no sales pressure, just a clear picture of what your environment actually requires and what a realistic engagement would cost.

Get a Pentest Quote