A vulnerability assessment is an automated scan that identifies known security weaknesses across your systems and ranks them by severity. A penetration test is a manual, expert-led exercise where a tester actively exploits vulnerabilities to determine real-world impact. Vulnerability assessments find potential problems at scale; penetration tests prove which problems an attacker can actually use. Most organisations need both.
What is a vulnerability assessment?
A vulnerability assessment uses automated scanning tools to identify known weaknesses across your network, applications, and infrastructure. The scanner compares your systems against databases of known vulnerabilities (CVEs) and configuration errors, then ranks each finding using the Common Vulnerability Scoring System (CVSS v3.1 or v4.0) on a scale of 0 to 10.
Common vulnerability scanning tools include Nessus, Qualys, Rapid7 InsightVM, and Tenable.io. A typical scan of a mid-sized network takes hours to complete and produces a report listing hundreds or thousands of findings sorted by severity.
The strength of vulnerability assessments is breadth. A single scan covers every in-scope asset and checks for thousands of known issues. The weakness is accuracy. Research by Rezilion found that popular vulnerability scanners return only 73% relevant results, with more than 450 high and critical-severity vulnerabilities misidentified across 20 test containers. A Finite State industry survey found that 72% of security professionals say false positives from scanners damage team productivity.
Vulnerability assessments tell you what might be vulnerable. They do not tell you what an attacker can actually do with that vulnerability.
What is a penetration test?
A penetration test is a manual security assessment where a qualified tester attempts to exploit vulnerabilities in your systems, following the same techniques a real attacker would use. The goal is not just to find weaknesses but to prove what happens when those weaknesses are exploited: what data can be accessed, what systems can be compromised, and what the business impact would be.
Penetration testers follow structured methodologies such as the OWASP Testing Guide v4.2 for web applications or the Penetration Testing Execution Standard (PTES) for broader engagements. Testing typically covers network infrastructure, web applications, APIs, cloud environments, and sometimes physical security or social engineering.
A typical engagement runs two to ten days depending on scope. The output is a narrative report detailing each finding, the exploitation steps taken, evidence of access obtained, and remediation guidance prioritised by business risk.
Where a vulnerability scanner checks for known CVEs, a penetration tester tests business logic flaws, authentication bypasses, privilege escalation chains, and access control weaknesses that no automated tool can detect. In one documented case, an e-commerce platform's penetration test found broken authentication logic in checkout flows and API endpoints that allowed order value manipulation. No vulnerability scanner flagged the issue because it was a logic flaw, not a known CVE.
How do vulnerability assessments and penetration tests compare?
The table below summarises the key differences. For a deeper technical breakdown, see our dedicated guide to penetration testing vs vulnerability scanning.
| Feature | Vulnerability assessment | Penetration test |
|---|---|---|
| Primary goal | Identify and catalogue known weaknesses | Prove what an attacker can exploit and the business impact |
| Method | Automated scanning against CVE databases | Manual testing by a qualified security professional |
| Scope | Broad: scans all in-scope assets | Targeted: focuses on high-value systems and attack paths |
| Depth | Surface-level: identifies potential issues | Deep: exploits vulnerabilities and chains findings together |
| Automation | Fully automated | Primarily manual with some tool-assisted phases |
| Duration | Hours | Days to weeks |
| Frequency | Monthly or continuous | Annually at minimum, plus after major changes |
| Cost (UK) | £500 to £2,000 per managed scan, or £1,000 to £10,000/year for tooling | £3,000 to £40,000+ depending on scope |
| Output | Automated report listing CVEs ranked by CVSS score | Narrative report with exploitation evidence and business context |
| False positive rate | High: scanners average 73% accuracy (Rezilion) | Low: findings are manually verified through exploitation |
| Business logic testing | Cannot test logic flaws, auth bypasses, or chained attacks | Core strength: tests how vulnerabilities combine in practice |
| Compliance | Meets scanning requirements (PCI DSS 11.3, Cyber Essentials Plus) | Meets penetration testing requirements (PCI DSS 11.4, ISO 27001 A.8.8) |
| Skill required | IT operations team can run scans | CREST, CHECK, or OSCP-certified testers recommended |
Do you need a vulnerability assessment or a penetration test?
You need both. They serve different purposes and are not interchangeable.
A vulnerability assessment provides continuous visibility. Running monthly or quarterly scans means you catch new CVEs and misconfigurations as they appear, before an attacker finds them. This is your early warning system.
A penetration test provides periodic validation. It answers the question scanners cannot: "Can an attacker actually breach our systems, and what happens if they do?" Penetration testing catches business logic flaws, tests how vulnerabilities chain together, and validates whether your detection and response capabilities work under realistic conditions.
The Withum case study illustrates why both matter. A company ran quarterly "penetration tests" from seven different vendors over four years, 16 tests total. Every test relied on automated scanning. When Withum conducted a manual penetration test, they found a vulnerability that the 16 automated tests had missed, one that could have resulted in over $103 million in PCI fines. The automated scans found known CVEs. The manual test found what an attacker would actually exploit.
A practical framework:
- Start with vulnerability scanning if you have no security testing programme. It gives you immediate visibility at low cost.
- Add penetration testing once you have a baseline. Annual testing is the minimum for most organisations; quarterly for high-risk environments.
- Run both continuously if you handle payment card data, personal health information, or operate in regulated sectors.
Which compliance frameworks require penetration testing vs vulnerability assessments?
Most frameworks require both, but with different frequencies and specifications.
PCI DSS 4.0 is the most prescriptive. Requirement 11.3 mandates quarterly external vulnerability scans by a PCI-approved Scanning Vendor (ASV) and quarterly internal scans. Requirement 11.4 mandates annual penetration testing covering the entire Cardholder Data Environment, both internal and external, at the network and application layers. PCI DSS 4.0 also introduced authenticated internal scanning (Requirement 11.3.1.2), requiring scanners to use credentials for deeper inspection.
ISO 27001:2022 requires organisations to identify technical vulnerabilities and take appropriate action (Control A.8.8). While it does not mandate a specific frequency, annual penetration testing and regular vulnerability scanning are standard practice for certification.
Cyber Essentials Plus includes vulnerability scanning as part of the independent assessment. The licensed assessor scans internet-facing systems and a sample of internal devices. Full penetration testing is not required for Cyber Essentials Plus but is recommended as a complementary measure.
GDPR Article 32 requires organisations to implement "a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures." Both vulnerability assessments and penetration testing satisfy this requirement.
NIS Regulations / Cyber Security and Resilience Bill will require operators of essential services and relevant managed service providers to demonstrate ongoing security testing. Specific technical requirements are expected in secondary legislation. Read our full guide to the UK Cyber Security and Resilience Bill for details on how this affects your organisation.
How often should you run each type of test?
Vulnerability assessments: Monthly at minimum. Continuous scanning is preferable if your tools support it. PCI DSS requires quarterly ASV scans for external systems. Run additional scans after any infrastructure change, new deployment, or patch cycle.
Penetration testing: Annually at minimum. PCI DSS requires annual penetration testing plus retesting after significant changes. High-risk environments (financial services, healthcare, critical infrastructure) typically test quarterly or semi-annually. Always retest after major application releases, infrastructure migrations, or mergers.
In 2024, the National Vulnerability Database published a record 40,009 new CVEs. Scanning quarterly and testing annually is the baseline, not the ceiling.
How much does a vulnerability assessment cost compared to a penetration test?
Vulnerability assessment costs (UK): - Self-managed scanning tools (Nessus, Qualys, Tenable.io): £1,000 to £10,000 per year depending on the number of assets licensed - Managed vulnerability scanning service: £500 to £2,000 per scan - Continuous scanning platforms: £5,000 to £20,000 per year
Penetration testing costs (UK): - Small engagement (2 to 4 days, single web app or external perimeter): £3,000 to £8,000 - Medium engagement (5 to 10 days, internal network + web apps): £8,000 to £18,000 - Large engagement (10 to 20+ days, multi-scope programme): £18,000 to £40,000+ - Red team or simulated targeted attack (multi-week): £30,000 to £100,000+
CREST-accredited testers in the UK typically charge £1,000 to £1,500 per tester per day. The cost reflects the difference in what you receive: a vulnerability scan produces an automated list of CVEs, while a penetration test delivers a narrative report with exploitation evidence, business impact analysis, and prioritised remediation guidance.
For most mid-market organisations, a combination of continuous vulnerability scanning (£5,000 to £10,000/year) plus an annual penetration test (£8,000 to £18,000) provides the right balance of coverage and depth.
Can a vulnerability scan replace a penetration test?
No. A vulnerability scan and a penetration test answer different questions.
A vulnerability scan asks: "Which known CVEs exist on these systems?" It checks against a database of published vulnerabilities and flags matches. It cannot test whether a vulnerability is actually exploitable in your specific environment, whether multiple low-severity findings can be chained into a critical attack path, or whether your authentication and authorisation logic is sound.
A penetration test asks: "What can an attacker actually do?" It tests business logic, attempts privilege escalation, chains findings together, and demonstrates real-world impact. These are the areas where organisations get breached, and they are invisible to scanners.
The Target Corporation breach in 2013 is a well-documented example. A vulnerability scan identified the weakness in Target's payment system before the attack. The finding existed in the scan report but was not prioritised for remediation because the scan could not demonstrate exploitability or business impact. Attackers exploited the same vulnerability and compromised 70 million customer records. A penetration test would have demonstrated exactly what an attacker could achieve with that vulnerability, changing the remediation priority.
Continuous scanning platforms that combine automated detection with human validation (such as PTaaS models) are narrowing the gap between vulnerability assessments and penetration testing for known vulnerability classes. Edgescan reports that 92% of its vulnerability validation is now automated. These platforms are valuable for maintaining visibility between annual tests. They do not replace manual penetration testing for business logic, authentication bypass, chained exploit scenarios, or adversary simulation, the areas where most breaches originate.
Frequently Asked Questions
Do I need a penetration test if I already run vulnerability scans? Yes. Vulnerability scans identify known weaknesses but cannot test business logic flaws, chained exploits, or real-world attack paths. A penetration test validates which vulnerabilities an attacker can actually exploit and what the business impact would be. Running scans without penetration testing is like checking your locks without testing whether someone can pick them.
How often should you run a vulnerability assessment? Monthly at minimum, or continuously if your tools support it. PCI DSS requires quarterly scans by an Approved Scanning Vendor for external systems. Run additional scans after infrastructure changes, new deployments, or patch cycles.
Is a vulnerability scan enough for PCI DSS compliance? No. PCI DSS 4.0 requires both quarterly ASV vulnerability scans (Requirement 11.3.2) and annual penetration testing (Requirement 11.4). Both are mandatory. The penetration test must cover the entire Cardholder Data Environment at the network and application layers.
What is VAPT testing? VAPT stands for Vulnerability Assessment and Penetration Testing. It refers to the combined approach of running automated vulnerability scans followed by manual penetration testing. VAPT provides both the breadth of automated scanning and the depth of manual exploitation, giving organisations a complete view of their security posture.
How much does a penetration test cost in the UK? UK penetration testing typically costs £3,000 to £8,000 for a small engagement (2 to 4 days) and £8,000 to £40,000+ for larger scopes. Day rates for CREST-accredited testers range from £1,000 to £1,500 per tester per day. The cost depends on the scope, complexity, and type of testing required.