Independent reference. Not affiliated with any vendor listed.

$ diff --left=pentest --right=vuln-scan

Two activities, two different price points, two different answers to two different questions.

$ answer --question="Does a vulnerability scan replace a pen test?"

No. A vulnerability scan finds known issues against a signature database. A pen test chains issues together to demonstrate exploitable impact. For PCI DSS, SOC 2, ISO 27001, HIPAA, and FedRAMP, an automated scan does not substitute for the required pen test. Use the scan as the high-frequency layer and the pen test as the annual deep-dive.

Last verified June 2026

$ stat --slot=1
EUR 90/mo
Detectify scanning floor
Application scanning, 1 domain
$ stat --slot=2
$1,999/yr
Astra PtaaS floor
Pen-test plus automated layer
$ stat --slot=3
365
Scanner runs per year
Daily, continuous
$ stat --slot=4
1-2
Pen tests per year
Typical compliance cadence
$ left --vendor=pen-test
Pen test

Manual, exploit-focused

Skilled human tries to chain issues to demonstrate impact. Output: report with proof-of-concept, attestation letter, remediation guidance. Cadence: typically annual.

$ right --vendor=vulnerability-scan
Vulnerability scan

Automated, signature-based

Tool checks for known issues against a database. Output: a ranked list of findings with CVSS scores. Cadence: continuous or daily.

$ heatmap --features

$ heatmap --rows=7 --cols=2
CapabilityPen testVuln scan
Finds known CVEs
Chains issues into exploit
Finds business-logic flaws
Continuous (daily) coverage
Attestation letter for auditors
Tests authenticated workflows
Validates exploitability beyond CVSS