This is the question behind half the scoping calls we take, usually in the form of "we already run a scanner, so why would we pay for a pentest?" or its mirror image, "we had a pentest last year, so why do we need scanning?" Both are fair questions, and the honest answer is that the two do different jobs.
The short version: a vulnerability scan is software checking your systems against a catalogue of known problems. A penetration test is a human being trying to break in. One gives you breadth on a schedule; the other gives you depth and proof.
What a vulnerability scan does well
A scanner (think Nessus, Qualys, OpenVAS, or the built-in scanners in cloud platforms) probes your hosts and applications and compares what it sees against a database of known vulnerability signatures: outdated software versions, missing patches, weak TLS configurations, default credentials, missing security headers.
Scanners are genuinely good at this. They're fast, cheap, repeatable and tireless. They'll check every host in a /16 overnight and never get bored. Run monthly or continuously, they catch the steady drip of new CVEs and configuration drift that no annual exercise can. Any mature security program runs them.
What a scan cannot see
A scanner can only find problems somebody has already written a signature for. That excludes almost everything specific to your application:
- Access control failures. A scanner has no idea that invoice 4092 belongs to a different customer than the logged-in user. To a scanner, a 200 response is a working page, not a data breach.
- Business logic flaws. Applying a referral credit twice, skipping a payment step, approving your own expense claim: all invisible to signature matching.
- Chained attacks. A low-severity information leak plus a weak password reset flow can equal full account takeover. Scanners rate findings one at a time and can't reason about combinations.
- Context. Scanners can't tell which "medium" finding actually exposes your crown jewels, so their severity ratings routinely misprioritise your backlog.
Scan output also needs interpretation: false positives are common, and someone has to verify each finding before your engineers burn time on it.
What a penetration test adds
A penetration test puts a human attacker on your systems, with permission. The tester reads your JavaScript, understands your workflows, creates accounts in every role and asks the questions scanners structurally cannot: what did the developers assume, and what happens when I violate that assumption?
Every finding in a proper pentest report is verified by exploitation, comes with reproduction steps, and is rated in the context of your business. The difference shows up most clearly in application and API testing, where the majority of serious findings (broken object-level authorisation, logic abuse, privilege escalation) have no scanner signature at all.
Side by side
| Dimension | Vulnerability scan | Penetration test |
|---|---|---|
| Performed by | Software | Human specialist (with tooling) |
| Finds | Known, signature-matched issues | Logic, access control and chained flaws, plus known issues |
| Depth | Identifies possible weaknesses | Exploits and proves real impact |
| False positives | Common, need triage | Rare; findings are verified |
| Duration | Hours | Days to weeks |
| Sensible cadence | Monthly or continuous | Annual, plus after major changes |
| Indicative cost | Tool licence + triage time | Thousands to tens of thousands |
So which one do you need?
Usually the honest answer is both, on different clocks. Scanning is your smoke alarm: always on, catching known problems as they appear. Pentesting is your fire drill: periodic, realistic, and the only way to learn how far an attacker actually gets once they're past the obvious stuff.
One caution for compliance buyers: if a customer contract, ISO 27001 auditor or PCI DSS assessor asks for a "penetration test", a scan report will not satisfy them, and vendors who sell scans under the pentest label know exactly what they're doing. Our guide to spotting a rebadged scan covers the warning signs, and our methodology shows what a real engagement looks like.
If you're budgeting for the difference, our Australian pricing guide breaks down what pentests actually cost and why.