Vulnerability scan or penetration test: what is the difference?

People often speak indistinctly of a “security test”. Yet a vulnerability scan and a penetration test answer two different questions, and do not substitute for one another.

The vulnerability scan

This is a largely automated examination that lists the known weaknesses of a system — outdated versions, weak configurations, missing patches. It is fast, broad and repeatable, which allows it to be run regularly. Its downside: it flags potential vulnerabilities without establishing what an attacker could actually do with them, and sometimes produces false positives.

The penetration test

This is a targeted exercise, combining tools and human expertise to exploit weaknesses and demonstrate a concrete impact. It takes place within a formalised framework — scope, rules of engagement, authorisations — and goes deeper, at the cost of greater effort and lower frequency.

Which to choose

The two are complementary. The scan offers continuous, low-cost monitoring of the exposed surface; the penetration test periodically validates the real resistance to an attacker. The first measures breadth, the second depth.

The right choice depends on the aim: maintaining continuous hygiene, or testing a defence ahead of a deadline.