Penetration Testing vs Vulnerability Scanning: When to Use Which
Pentest vs vulnerability scan: when do you need which?
A practical comparison of penetration testing and vulnerability scanning. Different exercises, different output, different price points. Most security programs need both. This page tells you which to use when, with a side-by-side capability map.
One is automated. One is adversarial.
A vulnerability scan is automated pattern matching. It checks your application against a database of known issues and configurations. A penetration test is a manual exercise where engineers actively try to break your application by chaining weaknesses, exploring business logic, and exploiting authorization boundaries. Different exercises, different output, different evidence value.
- Scan: known patterns, automated, fast, high false-positive rate
- Pentest: chained exploits, manual, slower, every finding verified
- Scan finds CVEs and misconfigurations. Pentest finds logic flaws.
- Scan output is a list. Pentest output is a narrative with evidence.
VULNERABILITY SCANNER OUTPUT ✓ jQuery 3.4.1 detected (CVE-2020-11023) ✓ Missing security header: X-Frame-Options ✓ Cookie set without Secure flag ✓ TLS 1.0 still enabled ✓ Server banner reveals version → 247 alerts, 89% false positive rate → No business logic flaws detected → No multi-tenant testing → No auth flow testing PENTEST OUTPUT (same target) CRITICAL Multi-tenant isolation: tenant_id parameter accepts other tenants' IDs CRITICAL Race condition in /api/payment/retry charges card 12x from one click HIGH OAuth scope confusion: refresh tokens granted with broader scope than access HIGH Password reset accepts old token after password changed → 14 findings, 100% manually verified → All 4 above invisible to scanner
Side-by-side
Capability comparison.
| Vulnerability Scan | Penetration Test | |
|---|---|---|
| Method | Automated pattern matching | Manual, by senior engineers |
| Speed | Minutes to hours | 2-4 weeks |
| False positive rate | 30-90% | Near zero (every finding verified) |
| Finds known CVEs | ✓ | ✓ |
| Finds business logic flaws | ✗ | ✓ |
| Tests multi-tenant isolation | ✗ | ✓ |
| Tests complex auth flows | ~ partial | ✓ |
| Provides reproducible PoC | ✗ | ✓ |
| Satisfies SOC 2 CC7.1 | ~ partial | ✓ |
| Satisfies PCI DSS 11.3 | ✗ | ✓ |
| Cost (rough) | $5-50K/year (tooling) | $15-50K per engagement |
| Cadence | Continuous (CI integration) | Quarterly to annually |
When to use which
A simple decision framework.
You need continuous, low-cost coverage of known patterns. Catching the easy stuff before it ships. Dependency CVEs, missing security headers, outdated TLS. Most CI pipelines need at least one scanner.
You're shipping new architecture, multi-tenancy, complex auth, or anything financial. Compliance requires it (SOC 2, PCI, ISO). You need evidence that survives auditor scrutiny. You need coverage of business logic.
You're operating production SaaS with real customers. This is the default for any company past Series A. Scanners run continuously; pentests run periodically; the two complement each other.
Frequently Asked