Vulnerability Scan vs. Penetration Test

There are topics in cybersecurity that can be left to individual interpretation and debate, such as choosing the best possible password policies. The goal of this article is not to argue such an opinionated topic, but rather educate on a couple of cybersecurity practices that are extremely binary, but very commonly misinterpreted.

Regardless of your industry, you’ve likely heard both of these terms come up in discussions around compliance. Most regulatory bodies are increasing their enforcement of cybersecurity, and generally require companies to run both a vulnerability scan and a penetration test annually. Even without a compliance need or regulators on your back, both practices are paramount for understanding your risk.

Suffice it to say that there are third party vendors out there selling vulnerability scans under the guise of penetration tests, so it’s important to known which is which, and what questions you should be asking.

Check out our short video on this topic.WATCH NOW

What is a Vulnerability Scan?

A vulnerability (vuln) scan is a tool that performs an internally run scan against all assets connected to your network. This includes your workstations, file servers, printers, etc. If you have both a public and an internal network, it will need to be run on both. Vuln scans are typically run outside of business hours to prevent any interruption of service while the tool is running. They can take 4-8 hours depending on the number of devices.

The default key deliverable of a vuln scan is a detailed technical report (typically hundreds of pages) listing every single known vulnerability on your devices. A properly managed vuln scan will also come with a handwritten executive report (and a top 10 vulnerability list) for the C-level executives and operation heads to easily digest and direct the remediation efforts.

As stated, vuln scans only detect known, documented vulnerabilities. No technology team can possibly replace what a vuln scan offers, and they are extremely paramount for understanding the current state of your infrastructure and producing you a baseline of vulnerabilities.

Vulnerabilities specific to your daily operations and personnel will not be captured in a vuln scan. This is where penetration tests come in.

What is a Penetration Test?

A penetration (pen) test is a real-world simulated attack against your public facing assets. This can include your website, VPN connection, client portals, and even your personnel. There are a few different tiers of pen tests that detail the scope of the test, and these are generally discussed with the cybersecurity professional to best fit your company’s needs. Pen tests should always be performed by different outsourced teams every year to most accurately and unbiasedly gauge your real-world defenses.

The main difference captured in a pen test versus a vuln scan is not just known vulnerabilities, but practical and active measures that can be taken against your company’s infrastructure and personnel today. This can include social engineering weaknesses of key personnel using phone calls or phishing emails, sneaking onsite to test the physical security and staff’s awareness, or actively trying to break into your company’s VPN.

Depending on the scope, a pen test can take anywhere from three weeks to three months. It’s not just a single tool running, it’s one or more cybersecurity professionals simulating what a criminal can do to your network (and ultimately your data and reputation).

The key deliverables here are: a detailed technical report which is typically handed off to IT, and an executive report summarizing the findings with business impacts in a digestible language.

So, which one do I need?

Both. You cannot capture your defense against daily dangers such as malware or automated attacks without a vuln scan. Without a pen test, you cannot capture the damage a criminal can actively do to your company using any tactic.

A vuln scan is not going to test your company’s security awareness levels, and a pen test isn’t going to necessarily test problems with individual configurations on items that aren’t public facing.

Which one is better?

I would love to tell you which is better or more important, but it depends on your infrastructure, and your risk management. The important thing to know is that they are not interchangeable; they are two entirely different services. Without having run either a vuln scan or a pen test, you are left without a baseline to manage your risk properly.

Did someone sell me a vulnerability scan as a penetration test?

Hard to say, but we see this far too often unfortunately. There are some tells, however. For instance, if you paid for a pen test and it only took the testers 4-8 hours to complete it, it’s likely you were sold a vuln scan.

Hopefully with this article, you will now be able to properly talk with a prospective security service provider, or a previously hired one, to ensure you’re getting a proper deal.


inCyber Security is a cybersecurity and cyber compliance consulting firm that specializes in helping the financial industry adhere to industry cyber regulations and protect themselves from cyber threats and reputation damage. inCyber acts as an Outsourced CISO to most of their clients, but also offer project based services. Using their proprietary security maturity model and unbiased approach, inCyber helps their clients understand and manage relevant cyber risks.

To learn more, contact us at 844-446-2923 or