Penetration Testing vs Vulnerability Scanning: What's the Difference?
A vulnerability scan is an automated tool that flags known weaknesses across your systems. A penetration test is a skilled human who tries to exploit those weaknesses, chain them together and show what a real attacker could actually achieve. Scanning gives you breadth, run often and cheaply. Penetration testing gives you depth and proof, at a point in time. They answer different questions, and most organisations need both.
The terms get used interchangeably in sales pitches, which leads people to buy the wrong thing, or to assume a cheap scan satisfies a contract that demands a full test. Here is the honest distinction, what the standards require, and how to decide between the two.
At a glance
| Vulnerability scanning | Penetration testing | |
|---|---|---|
| What it is | Automated detection of known weaknesses | Human-led simulated attack on your systems |
| How it works | Software checks systems against a database of known issues | A qualified tester uses an attacker’s tools and manual techniques |
| Question it answers | Where might we be exposed? | What could an attacker actually do? |
| Exploitation | No, it only flags issues | Yes, it safely proves real impact |
| Business logic and chained flaws | Rarely, known issues only | Yes, this is where it earns its keep |
| False positives | Common, need human triage | Findings are validated by the tester |
| Speed and frequency | Fast, run continuously or monthly | Point in time, typically annually and after major change |
| Output | A raw list of findings, often long | A prioritised report with impact and remediation |
| Relative cost | Low, subscription or per scan | Higher, priced by scope and effort |
| Best for | Ongoing hygiene and catching new known CVEs | Assurance, compliance and proving resilience |
In short: a vulnerability scan tells you which doors might be unlocked. A penetration test is someone trying the handles, picking the locks, and walking through to see what is on the other side.
What a vulnerability scan does
A vulnerability scanner is an automated tool. It probes your systems, networks or applications and compares what it finds against a database of known vulnerabilities and misconfigurations, then produces a report. Scanners run hundreds or thousands of checks far faster than any human could, which makes scanning cheap enough to run continuously.
Run regularly, that is the backbone of good security hygiene: it catches the newly disclosed CVE, the server that missed a patch window, the storage bucket left open after a deployment. The NCSC positions vulnerability scanning as a routine, ongoing process across patch management, hardening and the software lifecycle, not a one-off event.
What a scan does not do is tell you what any of it means. As NIST puts it in SP 800-115, its Technical Guide to Information Security Testing, an automated scan provides only the raw data. Someone still has to work out what that data means for your business.
What a penetration test does
The NCSC defines it as “a method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.” NIST SP 800-115 describes it as security testing “in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network.”
The difference from a scan is human creativity. A good tester does not just confirm the scanner’s list. They chain a low-risk misconfiguration to an information leak to a weak credential and turn three findings a scanner rated “medium” into a full compromise. They probe business logic a tool cannot understand: the checkout that lets you set your own price, the password reset that leaks another user’s token, the API that trusts a value it should verify. Then, safely and within an agreed scope, they demonstrate the actual impact rather than the theoretical risk.
The output reflects that. Instead of a raw list, you get a prioritised report: what was exploitable, what an attacker could reach, what it means for your organisation, and what to fix first. At Layer 7 our CREST and Cyber Scheme qualified testers deliver every engagement in-house, and the report is written to be acted on, not filed.
What a penetration test is really for
There is a subtlety here that should change how you buy testing. The NCSC is explicit that “penetration testing should be viewed as a method for gaining assurance in your organisation’s vulnerability assessment and management processes, not as a primary method for identifying vulnerabilities.”
The NCSC uses a financial audit analogy. Your finance team tracks spending every day; an external audit periodically confirms those controls are sound. In the same way, “in an ideal world, you should know what the penetration testers are going to find, before they find it.” If a test surprises you badly, the real finding is not the individual vulnerability, it is that your vulnerability management has a gap.
One more limit worth stating plainly: a penetration test can only validate that your systems are not vulnerable to known issues on the day of the test. It is a snapshot. That is precisely why it cannot replace continuous scanning, and why scanning cannot replace it.
What compliance actually requires
This is where buying the wrong one gets expensive. Most standards treat scanning and penetration testing as separate, non-interchangeable requirements.
| Standard | Vulnerability scanning | Penetration testing |
|---|---|---|
| PCI DSS v4.0.1 | Requirement 11.3: internal and external scans quarterly and after significant change, external scans by an Approved Scanning Vendor | Requirement 11.4: internal and external penetration testing at least annually and after significant change |
| Cyber Essentials Plus | Authenticated vulnerability scan of a device sample, as part of the audit | Not required, the audit checks five controls, it is not a penetration test |
The PCI DSS point is the clearest: a passing scan does not prove a penetration test was done, and a penetration test does not replace the required scans. Both are mandatory and neither substitutes for the other.
The Cyber Essentials Plus point catches people out in the other direction. The Plus audit includes a hands-on, authenticated vulnerability scan of a device sample; it is not a penetration test, and you do not need a pen test to certify. If you have been told you need a full penetration test “for Cyber Essentials”, you have been misinformed. For where each level applies, see Cyber Essentials vs Cyber Essentials Plus and our Cyber Essentials Plus certification service.
Which do you need?
Work through these in order:
- Does a contract, tender or standard name one specifically? If it says “penetration test”, a scan will not satisfy it, and vice versa. The requirement decides it. PCI DSS, as above, requires both.
- Do you have any ongoing scanning at all? If not, start there. Continuous scanning and a reliable patch process are the foundation, and they are cheaper and faster than any test.
- Are you launching something new, or making a major change? A web app, a new external service, a cloud migration. That is a penetration test, because logic and design flaws are exactly what scanners miss.
- Do you need to assure a customer, board or regulator? An independent penetration test is the recognised evidence that your defences hold under a real attacker’s pressure.
For most organisations the honest answer is both, in sequence: scan continuously to stay clean, then test periodically to prove it.
How they work together
The two are not rivals. Scanning handles breadth and frequency; testing handles depth and assurance. Done properly, each makes the other more useful.
- Scan continuously. Our continuous vulnerability management service takes care of the routine detection, so new known issues surface within days, not at the next annual test.
- See what an attacker sees. Attack surface management keeps track of the internet-facing assets, including the ones nobody remembered to decommission, so scanning covers your real footprint.
- Prove it with a test. A penetration test then validates that the whole process works, and finds the things automation never could.
Clear the routine, known issues with scanning first, and a penetration test is free to spend its time on the complex problems that genuinely need a human. That is where a test earns its cost.
Talk to a tester
If you are not sure whether you need a scan, a test, or a programme that combines both, tell us what is driving the question, a contract, a launch, a board request, and we will point you to the right one. No upsell to a test you do not need.
Speak to a penetration tester: hello@layer7.uk or see our penetration testing services.
Penetration testing vs vulnerability scanning FAQs
What is the difference between penetration testing and vulnerability scanning? A vulnerability scan is an automated tool that detects known weaknesses across your systems and produces a list. A penetration test is a skilled person who exploits and chains those weaknesses to prove what a real attacker could achieve. Scanning is broad, fast and cheap; testing is deep, point-in-time and higher cost.
Do I need both a vulnerability scan and a penetration test? Usually yes. Scanning is your ongoing hygiene, catching new known issues continuously. A penetration test periodically proves your defences and vulnerability management actually work. The NCSC frames penetration testing as assurance over your scanning and patching processes, not a replacement for them.
Is a vulnerability scan the same as a penetration test for PCI DSS? No. PCI DSS v4.0.1 requires quarterly vulnerability scans under Requirement 11.3 and penetration testing at least annually under Requirement 11.4. Both are mandatory and neither substitutes for the other. A passing scan does not prove a test was performed.
Does Cyber Essentials Plus require a penetration test? No. The Cyber Essentials Plus audit includes an authenticated vulnerability scan of a sample of your devices, but it is an audit against five controls, not a penetration test. You do not need a pen test to certify.
How often should I run each? Run vulnerability scans continuously or at least monthly, and after any change, so new known issues surface quickly. Run a penetration test at least annually and after any significant change, such as a new application or major infrastructure change.
Can a vulnerability scanner replace a penetration tester? No. A scanner only knows about issues already in its database and cannot exploit them, understand your business logic, or chain findings into a real attack. It provides raw data; a human works out what that data means and what an attacker could actually do with it.
Which is more expensive, scanning or penetration testing? Vulnerability scanning is low cost, usually a subscription or per-scan fee, because it is automated. Penetration testing costs more because it is skilled human effort, priced on the size and complexity of what is being tested.