Penetration Test vs Vulnerability Assessment

These two services are routinely confused, and the confusion costs organisations real money. A vulnerability assessment and a penetration test answer different questions, suit different budgets, and produce different evidence. This guide explains when each is the right call.

Core difference

They answer different questions

A vulnerability assessment answers: "What known weaknesses exist in this environment?" It is broad, automated, fast, and surfaces a long list of issues for triage. A vulnerability assessment uses scanning tools augmented by human review and produces a prioritised list of findings.

A penetration test answers: "What could an attacker actually do here?" It is narrower, manual, slower, and surfaces the exploitable chains that matter. A penetration test simulates how a real attacker would move through your environment, often demonstrating multi-step attacks that no scanner would assemble.

Side by side

Vulnerability assessment vs penetration test at a glance

DimensionVulnerability AssessmentPenetration Test
GoalIdentify known weaknessesDemonstrate exploitable risk
ApproachAutomated scanning + analyst reviewManual testing + chained exploitation
CoverageBroad (whole environment)Focused (specific scope)
DurationDaysWeeks
OutputLong list of findings, prioritisedNarrative of attack paths, fewer but deeper findings
CostLowerHigher
FrequencyMonthly or quarterlyAnnual or per-change
Compliance usePCI Requirement 11.2, ongoing operational hygienePCI Requirement 11.3, SOC 2, ISO 27001, DORA, customer evidence
How they work together

You need both

A vulnerability assessment is operational hygiene. It runs frequently, catches the obvious issues quickly, and feeds your patching cycle. Without it, scanner-findable issues accumulate silently.

A penetration test is point-in-time validation. It confirms (or refutes) that your vulnerability management programme is working, and it finds the issues that scanners miss: business logic flaws, authorisation bypass, multi-step exploitation, and design-level weaknesses.

Done well, the vulnerability assessment programme catches 80% of issues continuously and cheaply. The penetration test catches the remaining 20% that actually require human judgement, and proves to auditors and customers that you have done both.

Common mistake

Buying a "penetration test" that turns out to be a vulnerability scan with a different label. The output is a long list of generic CVE-flagged findings, no demonstrated exploitation, no narrative. If your report does not contain attack chains, manual findings, and tester reasoning, you have not had a penetration test.

Compliance contexts

Which compliance frameworks need which

PCI DSS Requirement 11.2 requires quarterly vulnerability scans (an Authorised Scanning Vendor for external scans). Requirement 11.3 requires annual penetration testing. They are separate requirements with different evidence.

SOC 2 and ISO 27001 do not technically mandate penetration testing, but most auditors expect to see annual penetration test reports as evidence of control operation. A vulnerability assessment alone is rarely sufficient at audit.

DORA Article 25 requires regular testing for non-significant entities (which can include vulnerability assessments). Article 26 TLPT for significant entities is explicitly threat-led penetration testing.

How RedSecLabs delivers

How we structure both

We deliver penetration testing as our core service: manual, scoped, methodology-driven engagements that produce real attack paths and executive-grade reports. Senior CREST CRT/CCT-certified testers lead engagements.

For vulnerability assessment programmes, we partner with an ASV for required scanning evidence and can advise on building internal vulnerability management programmes. We will not sell you a scan and call it a penetration test.

Common questions

Frequently asked

Can a vulnerability scan replace a penetration test?

No. They produce different evidence. PCI DSS, SOC 2, ISO 27001, and DORA auditors distinguish between them. A scan cannot satisfy a penetration test requirement, and a penetration test does not replace ongoing scanning.

How often should I run each?

Vulnerability scans: monthly or quarterly depending on environment and compliance. External scans for PCI: quarterly minimum. Penetration tests: annually as a baseline, plus per major change (new product, infrastructure migration, post-incident).

What does "manual penetration test" actually mean?

It means a human tester actively probing, chaining vulnerabilities, and reasoning about your specific environment. Tools assist, but the tester drives. The output reflects what a real attacker could do, not what a scanner thinks is there.

Can the same provider do both?

Yes, but check that they are not selling you the same thing twice. Vulnerability scanning should be automated, fast, and lower-cost. Penetration testing should be manual, slower, and significantly more expensive. If both look the same on the invoice, they are not really different services.

Need help choosing?

A 30-minute scoping call covers your specific context and lets us recommend the right approach. We will tell you honestly if our service is not the right fit.

Book a scoping call

Related: Vulnerability Assessment Services →

📞 Call us Book a call