These two services are routinely confused, and the confusion costs organisations real money. A vulnerability assessment and a penetration test answer different questions, suit different budgets, and produce different evidence. This guide explains when each is the right call.
A vulnerability assessment answers: "What known weaknesses exist in this environment?" It is broad, automated, fast, and surfaces a long list of issues for triage. A vulnerability assessment uses scanning tools augmented by human review and produces a prioritised list of findings.
A penetration test answers: "What could an attacker actually do here?" It is narrower, manual, slower, and surfaces the exploitable chains that matter. A penetration test simulates how a real attacker would move through your environment, often demonstrating multi-step attacks that no scanner would assemble.
| Dimension | Vulnerability Assessment | Penetration Test |
|---|---|---|
| Goal | Identify known weaknesses | Demonstrate exploitable risk |
| Approach | Automated scanning + analyst review | Manual testing + chained exploitation |
| Coverage | Broad (whole environment) | Focused (specific scope) |
| Duration | Days | Weeks |
| Output | Long list of findings, prioritised | Narrative of attack paths, fewer but deeper findings |
| Cost | Lower | Higher |
| Frequency | Monthly or quarterly | Annual or per-change |
| Compliance use | PCI Requirement 11.2, ongoing operational hygiene | PCI Requirement 11.3, SOC 2, ISO 27001, DORA, customer evidence |
A vulnerability assessment is operational hygiene. It runs frequently, catches the obvious issues quickly, and feeds your patching cycle. Without it, scanner-findable issues accumulate silently.
A penetration test is point-in-time validation. It confirms (or refutes) that your vulnerability management programme is working, and it finds the issues that scanners miss: business logic flaws, authorisation bypass, multi-step exploitation, and design-level weaknesses.
Done well, the vulnerability assessment programme catches 80% of issues continuously and cheaply. The penetration test catches the remaining 20% that actually require human judgement, and proves to auditors and customers that you have done both.
Buying a "penetration test" that turns out to be a vulnerability scan with a different label. The output is a long list of generic CVE-flagged findings, no demonstrated exploitation, no narrative. If your report does not contain attack chains, manual findings, and tester reasoning, you have not had a penetration test.
PCI DSS Requirement 11.2 requires quarterly vulnerability scans (an Authorised Scanning Vendor for external scans). Requirement 11.3 requires annual penetration testing. They are separate requirements with different evidence.
SOC 2 and ISO 27001 do not technically mandate penetration testing, but most auditors expect to see annual penetration test reports as evidence of control operation. A vulnerability assessment alone is rarely sufficient at audit.
DORA Article 25 requires regular testing for non-significant entities (which can include vulnerability assessments). Article 26 TLPT for significant entities is explicitly threat-led penetration testing.
We deliver penetration testing as our core service: manual, scoped, methodology-driven engagements that produce real attack paths and executive-grade reports. Senior CREST CRT/CCT-certified testers lead engagements.
For vulnerability assessment programmes, we partner with an ASV for required scanning evidence and can advise on building internal vulnerability management programmes. We will not sell you a scan and call it a penetration test.
No. They produce different evidence. PCI DSS, SOC 2, ISO 27001, and DORA auditors distinguish between them. A scan cannot satisfy a penetration test requirement, and a penetration test does not replace ongoing scanning.
Vulnerability scans: monthly or quarterly depending on environment and compliance. External scans for PCI: quarterly minimum. Penetration tests: annually as a baseline, plus per major change (new product, infrastructure migration, post-incident).
It means a human tester actively probing, chaining vulnerabilities, and reasoning about your specific environment. Tools assist, but the tester drives. The output reflects what a real attacker could do, not what a scanner thinks is there.
Yes, but check that they are not selling you the same thing twice. Vulnerability scanning should be automated, fast, and lower-cost. Penetration testing should be manual, slower, and significantly more expensive. If both look the same on the invoice, they are not really different services.
A 30-minute scoping call covers your specific context and lets us recommend the right approach. We will tell you honestly if our service is not the right fit.
Book a scoping callRelated: Vulnerability Assessment Services →