"We need a pen test" is something I hear frequently from organizations that would actually be better served by a vulnerability scan — or vice versa. The confusion is understandable: both involve testing your systems for security weaknesses. But the similarities end there.
Vulnerability Scanning: Automated, Broad, Continuous
A vulnerability scan is an automated process where a tool (Nessus, Qualys, Rapid7, and others) queries your systems and compares what it finds against a database of known vulnerabilities. The output is a list of potential vulnerabilities, typically with severity ratings (Critical, High, Medium, Low) and remediation recommendations.
What it does well:
- Covers your entire asset inventory quickly
- Identifies known vulnerabilities that have published CVEs
- Can be run continuously or on a schedule
- Is relatively inexpensive to run at scale
What it doesn't do:
- Verify whether vulnerabilities are actually exploitable in your specific environment
- Identify vulnerabilities that require human ingenuity to discover (logic flaws, chained attack paths)
- Simulate what a real attacker would do
- Provide context about business impact
Vulnerability scanning is a baseline practice. Organizations should be running authenticated scans against their environment regularly — weekly or monthly for critical systems, at minimum monthly for everything else.
Penetration Testing: Manual, Targeted, Periodic
A penetration test is an engagement where skilled human testers attempt to compromise your systems using the same techniques and tools a real attacker would use. Unlike automated scanning, pen testing involves creativity, chaining multiple vulnerabilities together, and thinking like an adversary rather than running through a database.
What it does well:
- Identifies exploitable attack paths, not just potential vulnerabilities
- Demonstrates real business impact ("we got access to your customer database from the internet")
- Surfaces vulnerabilities that automated tools miss — logic flaws, misconfigured permissions, business process weaknesses
- Produces evidence for leadership that "yes, this is actually a problem"
What it doesn't do:
- Replace continuous vulnerability scanning
- Cover everything (scope is always bounded)
- Scale to your entire environment cheaply
A quality external network penetration test from a reputable firm runs $10,000–$40,000 depending on scope. It's a meaningful investment.
Which One Do You Need?
The honest answer: you need both, but the priority depends on where you are.
If you're not running regular vulnerability scans, start there. Scanning is foundational and catches the low-hanging fruit that automated tools are good at finding.
If you're scanning regularly and remediating findings, add penetration testing to validate that your controls actually work and to find what scanning misses. Annual external network pen tests are a reasonable starting point for most organizations.
Specific triggers for pen testing:
- Before launching a customer-facing product or major feature
- After significant infrastructure changes
- As a compliance requirement (PCI DSS, SOC 2, some state regulations)
- Following a security incident, to understand your actual exposure
- Before a merger or acquisition
Types of Penetration Tests
The most common categories:
External network: Testing what an attacker can access from the internet Internal network: Testing what an attacker with internal network access can do (assumes initial compromise) Web application: Focused testing of your web applications for OWASP Top 10 and beyond Social engineering: Phishing, vishing, and physical access testing Red team: Comprehensive, multi-vector adversary simulation over a longer timeframe
Start with external network and web application testing — they cover the most impactful attack surfaces for most organizations.