$ diff --left=pentest --right=vuln-scan
Two activities, two different price points, two different answers to two different questions.
No. A vulnerability scan finds known issues against a signature database. A pen test chains issues together to demonstrate exploitable impact. For PCI DSS, SOC 2, ISO 27001, HIPAA, and FedRAMP, an automated scan does not substitute for the required pen test. Use the scan as the high-frequency layer and the pen test as the annual deep-dive.
Last verified June 2026
Manual, exploit-focused
Skilled human tries to chain issues to demonstrate impact. Output: report with proof-of-concept, attestation letter, remediation guidance. Cadence: typically annual.
Automated, signature-based
Tool checks for known issues against a database. Output: a ranked list of findings with CVSS scores. Cadence: continuous or daily.
$ heatmap --features
| Capability | Pen test | Vuln scan |
|---|---|---|
| Finds known CVEs | ✓ | ✓ |
| Chains issues into exploit | ✓ | ✗ |
| Finds business-logic flaws | ✓ | ✗ |
| Continuous (daily) coverage | ✗ | ✓ |
| Attestation letter for auditors | ✓ | ✗ |
| Tests authenticated workflows | ✓ | ◐ |
| Validates exploitability beyond CVSS | ✓ | ✗ |