BLOG HOME > Cybersecurity > Pentesting vs Vulnerability Scanning: What's the Difference?

Pentesting vs Vulnerability Scanning: What's the Difference?

Gary Glover
VP Security Assessments

Pentesting vs vulnerability scanning: two very different ways to test your systems for vulnerabilities. 

Penetration testing and vulnerability scanning are often confused for the same service. The problem is, business owners purchase one when they really need the other. Let me explain pentesting vs. vulnerability scanning.

A vulnerability scan is an automated, high-level test that looks for and reports potential vulnerabilities. A penetration test is an exhaustive, live examination designed to exploit weaknesses in your system.

Let’s dive a little deeper.

White Paper: 5 Tips to Pay Less for PCI Compliance

Download Here

What is a vulnerability scan?

Also known as vulnerability assessments, vulnerability scans assess computers, systems, and networks for security weaknesses, also known as vulnerabilities. These scans are typically automated and give a beginning look at what could possibly be exploited.

High-quality vulnerability scans can search for over 50,000 vulnerabilities and are required as per PCI DSS, FFIEC, and GLBA mandates.

Vulnerability scans can be instigated manually or on an automated basis, and will complete in as little as several minutes, to as long as several hours.

Vulnerability scans are a passive approach to vulnerability management, because they don’t go beyond reporting on vulnerabilities that are detected. It’s up to the business owner or his/her IT staff to patch weaknesses on a prioritized basis, or confirm that a discovered vulnerability is a false positive, then rerun the scan.

To ensure the most important vulnerabilities are being scanned for, vulnerability scans should only be conducted by a PCI Approved Scanning Vendor, or ASV.

See Also:  Spotting Vulnerabilities – Is Vulnerability Scanning Antiquated?

Vulnerability scan reporting 
After scan completion, a report will generate. Typically, vulnerability scans generate an extensive list of vulnerabilities found and references for further research on the vulnerability. Some even offer directions on how to fix the problem.

The report identifies any identified weaknesses, but sometimes includes false positives. A false positive is when a scan identifies a threat that’s not real. Sifting through real vulnerabilities and false positives can be a chore, especially if many are falsely identified.

PCI Approved Vulnerability (ASV) Scans

Learn More
Benefits of a vulnerability scan 
  • Quick, high-level look at possible vulnerabilities
  • Very affordable (~$100 per IP, per year, depending on the scan vendor)
  • Automatic (can be automated to run weekly, monthly, quarterly, etc.)
  • Takes minutes

Limitations of a vulnerability scan 

  • False positives
  • Businesses must manually check each vulnerability before testing again
  • Does not confirm that a vulnerability is possible to exploit

See Also: Picking Your Vulnerability Scanner: The Questions You Should Ask

What is a penetration test?

A penetration test simulates a hacker attempting to get into a business system through the exploitation of vulnerabilities. Actual analysts, often called ethical hackers, try to prove that vulnerabilities can be exploited. Using methods like password cracking, buffer overflow, and SQL injection, they attempt to compromise and extract data from a network.

Penetration tests are an extremely aggressive approach to finding and removing vulnerabilities. They are also required as per PCI DSS, FFIEC, and GLBA regulations.

SEE ALSO:  New 3.2 Requirements for Penetration Testing and Segmentation: What You Don’t Know

The cost of a penetration test is usually between $5,000 to over $70,000…but it depends on the extent of IP’s tested and the size of a web application. Learn more about the cost of penetration testing.

The main aspect that differentiates penetration testing from vulnerability scanning is the live human element. There is no such thing as an automated penetration test. All penetration tests are completed by very experienced, very technical, human beings.

 Penetration testers are well versed in: 

  • Black hat attack methodologies (e.g., remote access attacks, SQL injection)
  • Internal and external testing (i.e., perspective of someone within the network, perspective of hacker over Internet)
  • Web front-end technologies (e.g.,Javascript, HTML)
  • Web application programming languages (e.g., Python, PHP)
  • Web APIs (e.g., restful, SOAP)
  • Network technologies (e.g, firewalls, IDS)
  • Networking protocols (e.g., TCP/UDP, SSL)
  • Operating systems (e.g., Linux, Windows)
  • Scripting languages (e.g., python, pearl)
  • Testing tools (e.g., Nessus, Metasploit)

In short, penetration testers provide a deep look into the data security of an organization.

SEE ALSO:  Different Types of Penetration Tests for Your Business Needs


Typically, penetration test reports are long and contain a description of attacks used, testing methodologies, and suggestions for remediation.

Benefits of a penetration test 

  • Live, manual tests mean more accurate and thorough results
  • Rules out false positives
  • Annual test, or after any significant change

Limitations of a penetration test 

  • Time (1 day to 3 weeks)
  • Cost (around $4,000 to $20,000)

Which is better? A vulnerability scan or penetration test?

Both tests work together to encourage optimal network security. Vulnerability scans are great weekly, monthly, or quarterly insight into your network security, while penetration tests are a very thorough way to deeply examine your network security. Yes, penetration tests are expensive, but you are paying a professional to examine every nook and cranny of your business the way a real world attacker would, to find a possibility of compromise.

Schedule some time to discuss a penetration test for your business.

Gary Glover (CISSP, CISA, QSA, PA-QSA) is SVP of Assessments at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Trek quoting skills. Live long and proper as you read his other blog posts.

Join Thousands of Security Professionals and Subscribe


We are excited to work with you.


Thank you!

Your request has been submitted.