Vulnerability Assessment vs Penetration Testing: What's the Difference?
Vulnerability Assessment vs Penetration Testing: What's the Difference?
A client last year told me they had been doing annual pen tests for three years running. I asked to see the reports. All three were the same format: a list of CVEs with CVSS scores, sorted by severity, generated by a commercial scanning tool. There was no exploitation, no business logic testing, and no access control checks. The company that produced them had been charging pen test rates for vulnerability scans. Nobody noticed because the reports looked technical enough to satisfy the compliance requirement.
That story is common enough that I think it is worth being explicit about the difference.
What a vulnerability assessment does
A vulnerability assessment uses automated tools to scan your systems and compare what it finds against a database of known vulnerabilities. The tool checks software versions, looks for missing patches, tests for default credentials, and identifies misconfigurations.
The output is a list of findings. Each item describes a known vulnerability, gives it a severity score (usually CVSS), and provides generic remediation guidance. The list might be 30 items or 300, depending on the size of your environment and how well maintained it is.
This is useful work because it gives you a baseline. You can see which systems are missing patches, which services are running outdated software, and where configuration weaknesses exist. For ongoing security maintenance, regular vulnerability scanning is one of the most cost-effective things you can do.
What the assessment does not do is tell you whether those vulnerabilities can actually be exploited in your specific environment. A critical CVE on a service that is only accessible from a single admin workstation behind two layers of authentication is a different risk from the same CVE on an internet-facing server with no access controls. The vulnerability scan gives both the same score.
What a penetration test does
A penetration test starts where the vulnerability assessment leaves off. The tester takes the findings from automated scanning and attempts to exploit them. Can the missing patch actually be leveraged to gain access? Can the default credentials on the test environment be used to pivot to production? Can three low-severity findings be chained together into a high-severity attack path?
Beyond exploitation, the tester checks things that automated tools cannot. Business logic flaws in your application that scanners miss. Access control gaps that let one user view another's data. Authentication bypasses that exist because of how the system was designed, not because of a missing patch. Social engineering vectors that depend on human behaviour rather than technical weaknesses.
The output is a report that describes what the tester actually achieved, not just what a tool found. "I accessed the admin panel using a default credential from the staging environment" tells you more than "default credential detected, CVSS 9.8."
The practical differences
| Aspect | Vulnerability Assessment | Penetration Test |
|---|---|---|
| Primary method | Automated scanning tools | Manual testing with tool support |
| What it finds | Known vulnerabilities and misconfigurations | Exploitable weaknesses and logic flaws |
| Exploitation | No | Yes |
| Business logic testing | No | Yes |
| Access control testing | Limited | Thorough |
| Duration | Hours | Days |
| Output | List of findings with CVSS scores | Narrative report with exploitation evidence |
| Frequency | Monthly or quarterly | Annually or after changes |
| Cost | Lower | Higher |
| Skill required | Tool operation | Security expertise |
Neither is better than the other because they serve different purposes. The question is which one your situation requires.
When to use a vulnerability assessment
Ongoing monitoring. Run regular scans (monthly or quarterly) to catch new vulnerabilities as they are disclosed. This is your continuous security hygiene layer. When a new critical CVE is published, a scan tells you within hours whether any of your systems are affected.
Establishing a baseline. If you have never had any security testing, a vulnerability assessment gives you the starting point. Fix the known issues first. There is no point commissioning a pen test when you have 50 unpatched critical vulnerabilities. Deal with those, then test whether your defences hold up.
Compliance requirements that specify scanning. Some standards and contracts require vulnerability scanning specifically. PCI DSS requires quarterly external vulnerability scans by an Approved Scanning Vendor (ASV). If your requirement says "vulnerability scan," that is what you need.
Large environments. If you have hundreds of servers and thousands of endpoints, a pen tester cannot manually check every one. Regular scanning covers the breadth, while pen testing covers the depth.
When to use a penetration test
Contract or regulatory requirement for a pen test. If the requirement says "penetration test," a vulnerability scan will not satisfy it. The assessor, auditor, or client will look for evidence of manual testing, exploitation attempts, and business logic analysis.
Application security. Vulnerability scanners are poor at testing web application logic, API authorisation, and custom code. If your business relies on a customer-facing application, a pen test is how you find the problems that scanners miss.
After remediating a vulnerability assessment. You have fixed the known issues. Now you want to know whether your defences hold up against a motivated attacker who thinks creatively. That requires a tester, not a tool.
Post-incident. You had a security breach and want to understand the full extent of the exposure. A pen test can determine whether the attacker's access was limited to what they exploited or whether other paths exist.
Board-level assurance. A pen test report with specific exploitation evidence is more convincing to a board than a list of CVEs. The narrative of "the tester accessed the finance database using a chain of three vulnerabilities" communicates risk in terms non-technical people understand.
The grey area: where providers cause confusion
The market confusion happens because some providers sell scans as pen tests. The deliverable looks similar to someone who does not know the difference. Both produce a PDF with findings sorted by severity. Both reference CVSS scores and both include remediation recommendations.
Here's the difference: it is in the methodology behind each one. A pen test report should include evidence of manual testing: specific requests the tester crafted, screenshots of exploited vulnerabilities, descriptions of attack chains, and business logic findings that no automated tool could have produced. If the report reads like a scanner output with a company logo on it, you received a scan.
I am not saying scans are worthless at all. They are genuinely useful and every organisation should be running them. I am saying that if you are paying pen test rates, you should receive pen test output. Ask the provider what methodology they follow, and ask to see a sample report (redacted). Ask who will be doing the testing and what their qualifications are. (based on findings from the internal containment audit).
Using both together
The most effective approach is both, at different cadences.
Run vulnerability scans on a monthly or quarterly cadence. They catch new CVEs, configuration drift, and regressions. They are automated, relatively cheap, and provide continuous coverage.
Commission a penetration test annually, or more frequently if your environment changes significantly. The pen test covers what the scanner cannot: business logic, access controls, exploitation chains, and the human element.
The scan maintains the baseline while the test validates the defences. Each one is more valuable because the other exists.
Want to understand which testing approach is right for your business? Get in touch or request a quote.
Related articles
- Penetration Testing: What UK Businesses Need to Know
- Types of Penetration Testing: Which One Do You Need?
- API Security Testing: What a Pen Tester Actually Checks
- Cyber Essentials Plus Vulnerability Scanning: What Gets Scanned, What Fails, and How to Prepare
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Configuration Review: What It Is and Why It's Part of a Security Assessment
What a configuration review tests, how it differs from a vulnerability scan, and what it reveals about your actual security posture. Written by a CREST-registered pen tester.
Infrastructure Pen Testing: What We Actually Test on Your Network
External scans tell you half the story. Here is what a CREST tester checks on your internal network, servers, and Active Directory.
Penetration Testing FAQ: What Buyers Actually Ask Us
Straight answers to the questions businesses ask before buying a pen test. CREST, CHECK, cost, timing, and what the report looks like.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.