The short version
Vulnerability scanning is automated and answers "are there any known issues here?" Penetration testing is performed by a person and answers "would an attacker actually get in, and how?" They are complementary controls, not interchangeable ones, and most mature security programs run both.
Side-by-side comparison
| Dimension | Vulnerability scan | Penetration test |
|---|---|---|
| Performed by | Software | Qualified humans |
| What it finds | Known CVEs, missing patches, configuration drift, signature-matched issues | Authorization flaws, business-logic abuse, multi-tenant isolation gaps, chained attack paths |
| Output | List of candidate findings (often noisy) | Validated, exploited findings with PoC, severity, remediation |
| Frequency | Continuous (daily/weekly) | Periodic (annual + on material changes) |
| Time per cycle | Minutes to hours | 2–6 weeks of testing plus reporting |
| Cost | Per-asset license, low | Per-engagement fixed fee, mid five figures and up |
| Compliance role | Continuous evidence | Required control on most frameworks |
What scanners find well
Scanners are excellent at the well-defined, signature-detectable class of issues. Useful coverage you should not lose:
- Known CVEs in dependencies. A library version with a published vulnerability is exactly the kind of thing a scanner catches efficiently — and exactly the kind of thing humans waste time on if they have to look manually.
- Missing patches and outdated software. Inventory plus a CVE database is the right tool for the job.
- Configuration drift. Did a security group change? Did a new public S3 bucket appear? Did TLS get downgraded? Continuous scanning notices.
- Common web-app patterns. Default credentials, exposed admin paths, missing security headers, weak TLS suites.
What scanners miss — every time
Scanners cannot reason. That sounds reductive, but it is the honest gap. The issues that drive most real breaches require reasoning the scanner cannot do:
- Broken access control. A scanner does not know your role matrix, so it cannot tell you that User A in the "viewer" role can hit an endpoint that should be admin-only. This is consistently the highest-impact category in real engagements.
- Multi-tenant isolation flaws. Cross-tenant IDORs, exported reports leaking across tenants, shared-link scope errors. Requires understanding what a tenant is.
- Business logic abuse. Coupon stacking, promo-referral fraud, fee bypasses, race conditions on money paths. The scanner has no concept of "fee".
- Chained findings. One medium plus one medium plus one low equals critical, and the scanner reports them as three separate medium-severity items.
- Auth and identity edge cases. Algorithm-confusion JWT attacks, downgrade paths from SSO to local login, refresh-token replay across devices.
When to use which
Most programs that get this right run scanning continuously and pentesting periodically. The rough decision tree:
- You have a customer or auditor asking for a pentest report. Run a pentest. A scanner report does not satisfy the question.
- You ship a new product, feature, or major refactor. Run a pentest of the new surface.
- You want continuous coverage between annual pentests. Add scanning, paired with human triage so your team only sees real findings.
- You are starting a security program from scratch. Start with scanning to get visibility and quick wins, then run a pentest within the first six months to see what scanning misses.
Cost and cadence — honest numbers
Scanner pricing is per-asset and runs from low hundreds to low thousands per month for a typical SMB or mid-market environment, depending on coverage and licensing. Pentest pricing is per-engagement: small single-app engagements typically run in the low five figures; multi-environment, red team, or compliance-aligned engagements run higher.
The math that usually matters: one annual pentest plus continuous scanning covers more real risk than two pentests per year would, because the scanner takes care of drift and easy issues continuously while the pentest budget goes into deeper engagements.
The trap to avoid: teams that run only scanners often have hundreds of "findings" in their tracker that nobody fixes, because most are false positives or environment-irrelevant. Without human triage, scanner output corrodes the tracker until everyone tunes it out.
How to buy them together
Three patterns we see work in practice:
- Annual pentest plus triaged scanning. One deep pentest per year on the highest-risk surface; continuous scanning across external, application, and cloud configuration with human triage so only real findings reach the engineering tracker.
- Per-product pentest plus shared scanning. A pentest per product line on a rolling cadence; one scanning program covering everything continuously.
- Compliance bundle. A compliance-aligned annual pentest paired with quarterly or monthly scanning evidence for SOC 2, ISO, or PCI requirements.
Vulnerability scanning + human triage
Continuous scanning paired with human triage so your team only sees real, prioritized findings.
See the engagement Common in this industrySaaS & B2B software
Multi-tenant isolation, SSO, SOC 2, customer security questionnaires.
See industry scopeRelated articles
Preparing for your first pentest? Download the SMB Pentest Readiness Checklist →