Penetration test vs vulnerability assessment.

Vulnerability assessment (often called a vulnerability scan or VA). An automated tool examines a system, compares it against a database of known vulnerabilities, and lists everything that matches. The list is usually long and varies in confidence. The tool does not attempt to exploit anything. Examples include commercial enterprise scanners, the major open-source options, and our own BugDazz Autonomous product among others.

Penetration test. A security professional examines a defined system, runs automated scanners as one part of the engagement, then attempts to use the findings the way a real attacker would. The output is a report of what was actually exploitable, what could be reached through chaining, and what business-logic flaws no scanner could see.

Side by side, the differences are concrete:

• Who does the work. A scan is automated; the human input is just configuration. A pentest is mostly human; the automated tools are one input among many.
• What is in scope. A scan covers everything the tool can reach. A pentest covers a specific application or environment in depth.
• What is produced. A scan lists known weaknesses by ID. A pentest produces a narrative report with reproducible evidence and business-impact context.
• False positives. Scans produce many; the operator has to dismiss most of them. Pentest findings are confirmed by the tester before they ship.
• Business-logic flaws. Scans find none of them. Pentests find most of the high-impact ones.
• Cost. Scans run from very cheap (open-source) to mid-five-figures annually (enterprise tools). Pentests are project-priced and start higher per engagement.
• Frequency. Scans run continuously. Pentests run annually or per release.

Vulnerability scanning is the right answer when you need:

• Visibility into known weaknesses across the whole estate continuously.
• Compliance evidence that you check for issues regularly (PCI DSS quarterly external scan, for example).
• A signal feed for the security team to triage.
• Patch-management input (what is unpatched, where).

Penetration testing is the right answer when you need:

• Proof of what an attacker could actually achieve.
• Confidence before a launch, a compliance certification, a board review, or a procurement gate.
• Findings against business logic, chained exploits, or novel attack paths.
• A report that auditors, customers, or investors will accept as third-party validation.

Most organisations need both. The scan tells you about the universe of weaknesses; the pentest tells you which of them and which of the ones the scan missed actually matter.

Three reasons we see in the field:

• The same vendor sells both. A vendor pitching their scanning product as a 'pentest' is common. The contract often calls it one thing and delivers the other.
• The compliance language is loose. PCI DSS, SOC 2, ISO 27001, and HIPAA all reference 'penetration testing' but use different definitions and require different evidence. Auditors apply their own interpretation.
• The budget owner is non-technical. A CFO comparing a $5k scan to a $40k pentest sees two activities labelled the same way at very different prices and asks the wrong question.

The fix is to define the deliverable up front. If you need a list of weaknesses with CVE IDs, you want a vulnerability assessment. If you need a report that proves what is exploitable on your specific application, you want a pentest.

A good vulnerability assessment:

• Runs on a schedule (often weekly or continuously).
• Tunes out false positives so the team trusts the output.
• Feeds a triage queue with severity, asset, and patch information.
• Tracks the trend (number of high-severity weaknesses over time).

A good penetration test:

• Is scoped against a defined system with a written agreement.
• Combines automated scanning, manual review, and exploitation.
• Ships findings as they are confirmed, not just at the end.
• Includes a free re-test of fixes within an agreed window.
• Delivers a report that engineering can act on and that auditors will accept.