> comparison: vulnerability_scan vs penetration_test —— verdict: they_are_not_the_same_thing<span class="cursor-blink">_</span>_
The terms 'vulnerability scan' and 'penetration test' are frequently used interchangeably — by sales teams, in board reports, and even by some IT departments. This is a dangerous conflation. A vulnerability scan and a penetration test are fundamentally different activities that answer different questions, deliver different outputs, and provide different levels of assurance. Confusing them can lead to organisations believing they are tested when they are not.
This matters because some providers sell automated vulnerability scans as 'penetration tests' — at penetration test prices. If you are commissioning security testing, you need to know what you are buying.
Want to know if your environment has the same weakness? Book a free 30-minute scoping call.
Book a Scoping Call| Characteristic | Vulnerability Scan | Penetration Test |
|---|---|---|
| Who performs it | An automated tool (Nessus, Qualys, OpenVAS, or similar). Minimal human involvement beyond configuration and review. | A qualified human tester using a combination of automated tools and manual techniques. The tester's expertise, creativity, and judgement are the primary value. |
| What it does | Scans systems and compares software versions, open ports, and configurations against a database of known vulnerabilities. Identifies potential weaknesses based on pattern matching. | Actively attempts to exploit vulnerabilities — cracking passwords, bypassing authentication, injecting code, escalating privileges. Proves whether vulnerabilities are practically exploitable and demonstrates real-world impact. |
| Depth of analysis | Surface-level. Identifies known vulnerabilities based on signatures. Cannot find business logic flaws, chained attack paths, or issues that require contextual understanding. | Deep. Combines automated discovery with manual analysis to find complex vulnerabilities — logic flaws, access control failures, privilege escalation chains, and misconfigurations that tools alone cannot detect. |
| False positives | High. Scanners frequently report vulnerabilities that are not actually exploitable due to compensating controls, specific configurations, or environmental factors. Requires manual review to filter genuine issues from noise. | Low. The tester verifies each finding by attempting exploitation. If a vulnerability is reported, it has been confirmed as exploitable — or clearly documented as a theoretical risk with specific conditions. |
| Duration | Hours. A typical vulnerability scan runs for one to four hours depending on the number of targets. | Days to weeks. A typical penetration test takes two to ten days depending on scope and complexity. |
| Cost | Low — typically £200 to £1,000 for a one-off scan, or included in managed security service agreements. | Higher — typically £2,000 to £15,000+ depending on scope. Reflects the skilled labour and time required. |
| Deliverable | An automated report listing discovered vulnerabilities with severity ratings from the scanner's database. Often includes generic remediation advice copied from the vulnerability database. | A detailed, manually written report with an executive summary, evidence of exploitation (screenshots, request data), business-impact analysis, and specific, contextual remediation guidance. |
| Compliance value | Supports ongoing vulnerability management but does not satisfy penetration testing requirements in PCI DSS, GDPR, ISO 27001, or most regulatory frameworks. | Satisfies penetration testing requirements across all major compliance frameworks when conducted by a qualified provider. |
A vulnerability scan is like walking around a building and noting that the front door has a Yale lock, the ground-floor windows are single-glazed, and the alarm panel is a model known to have a bypass. A penetration test is like actually trying to pick the lock, break the glass, bypass the alarm, and walk out with the contents of the safe — then telling the building owner exactly how you did it and how to stop someone else doing the same thing.
The scan tells you what might be vulnerable. The penetration test tells you what is vulnerable, what the consequences are, and how to fix it. Both have value — but they answer different questions and provide different levels of assurance.
Vulnerability scanning and penetration testing serve different purposes and should be used accordingly. A mature security programme includes both — regular vulnerability scanning as an ongoing monitoring activity and periodic penetration testing as a deeper validation.
| Use Case | Appropriate Activity |
|---|---|
| Ongoing monitoring for known vulnerabilities | Vulnerability scanning — run weekly or monthly to catch new vulnerabilities as they are disclosed and verify that patches are applied. |
| Annual security assessment for compliance | Penetration testing — conducted annually by a qualified provider to satisfy PCI DSS, GDPR, ISO 27001, and client requirements. |
| Pre-deployment check for a new application | Penetration testing — a vulnerability scan will not find business logic flaws, authentication bypasses, or access control failures in custom applications. |
| Quick health check after patching | Vulnerability scanning — fast, automated, and ideal for verifying that patches were applied correctly across your estate. |
| Demonstrating real-world risk to the board | Penetration testing — a scanner report showing 'CVE-2024-XXXX: Critical' means little to non-technical stakeholders. A penetration test report showing 'we accessed your customer database containing 50,000 records using a default password' is immediately understood. |
If you are evaluating a proposal from a security testing provider, the following indicators help you distinguish a genuine penetration test from a vulnerability scan sold under a different name.
Both vulnerability scanning and penetration testing have a place in a security programme, but they serve different purposes and provide different levels of assurance. A vulnerability scan finds known issues quickly and cheaply. A penetration test proves what an attacker could actually do with those issues — and finds the complex, chained, and logic-based vulnerabilities that no scanner can detect.
If you are buying security testing for compliance, client requirements, or genuine risk reduction, ensure you are commissioning an actual penetration test — not a vulnerability scan with a misleading label.
Every Hedgehog Security engagement is a genuine, manually conducted penetration test performed by individually certified testers. We will never sell you a vulnerability scan as a penetration test.
Want to know if your environment has the same weakness? Book a free 30-minute scoping call.
Book a Scoping Call