Precursor Security
CREST-Accredited Comparison Guide

Vulnerability Scanning vs Penetration Testing:
Which Do You Actually Need?

If your organisation runs regular vulnerability scans and assumes this satisfies your annual penetration testing requirement, you are not alone. It is the most common miscommunication we encounter, and it can lead to compliance gaps discovered at the worst possible moment.

Request a PentestView Comparison
Automated vs Manual
Breadth vs Depth
Compliance Requirements
UK Cost Benchmarks
Scroll
The Core Difference

One checks locks. The other picks them.

Vulnerability scanning is an automated process that checks systems against a database of known security flaws: misconfigurations, missing patches, and outdated software. Think of it as checking every door handle across every building to see which ones are unlocked.

Penetration testing is a manual exercise in which human security experts attempt to exploit vulnerabilities to demonstrate real business impact, finding logic flaws and chained attacks that automated tools cannot detect by design. This is a skilled expert attempting to pick the lock, then mapping every route through the building.

Most UK compliance standards (including PCI DSS, ISO 27001, and DORA) require both: continuous or quarterly scanning for baseline hygiene, and annual manual penetration testing for in-depth assurance.

Scanning Cost£300-800per month (managed)
Pentest Cost£3k-15kper engagement
Scan FrequencyMonthlyor continuous
Pentest FrequencyAnnualor post-change
Penetration Testing PricingManaged Vulnerability ScanningCompliance Services
Automated Process

Vulnerability Scanning

Automated tools check for thousands of known CVE signatures (outdated software, missing patches, default configurations) across your entire estate. Broad, continuous, tool-driven. Essential for ongoing hygiene, but cannot find what it was not programmed to look for.

Checks known CVEs and misconfigurations
Runs continuously or monthly
Covers your full asset inventory
Produces CVSS-scored patch lists
False positives require manual triage
UK cost: £300 to £2,000+/month (managed) | Enterprise licences £15,000 to £50,000+/year
Request managed scanning
Manual Expert-Led

Penetration Testing

Human experts chain together minor issues to achieve major compromises, find logic flaws scanners miss by design, and demonstrate real business impact with Proof of Concept evidence. Deep, objective-led, and contextual. Satisfies the specific "penetration testing" clause in compliance standards.

Finds business logic vulnerabilities
Chains low-severity findings into critical exploits
All findings manually verified
Narrative attack story with PoC evidence
Satisfies ISO 27001, PCI DSS, DORA
UK cost: £3,000 to £15,000 per engagement | Full assessments £15,000 to £30,000+
Scope a penetration test

Not sure which you need?

Most UK organisations with compliance obligations need both. A 15-minute scoping call with a CREST consultant will clarify exactly which services your compliance programme requires, and which you can defer.

Free Scoping Call
Avg response: 15m
Side by Side

Attribute Comparison

The difference between vulnerability scanning and penetration testing across every dimension that affects your decision.

AttributeExecution method
ScanningAutomated software
Pen TestingManual human experts
AttributeFrequency
ScanningContinuous or monthly
Pen TestingAnnual or post-change
AttributeWhat it finds
ScanningKnown CVEs, misconfigurations, missing patches
Pen TestingLogic flaws, chained exploits, business process vulnerabilities
AttributeFalse positives
ScanningCommon, requires triage
Pen TestingMinimal, all findings verified
AttributeReport output
ScanningList of flagged items with CVSS scores
Pen TestingNarrative attack scenario with Proof of Concept evidence
AttributeTypical UK cost
Scanning£300 to £2,000+/month (managed)
Pen Testing£3,000 to £15,000 per engagement
AttributeCompliance use
ScanningOngoing hygiene monitoring
Pen TestingSatisfies penetration testing clause (ISO 27001, PCI DSS, CE Plus)
AttributeWhat it cannot do
ScanningDetect logic flaws, test chained vulnerabilities, assess business impact
Pen TestingReplace continuous monitoring between engagements
Blind Spots

What Automated Scanners Cannot Detect

Automated tools identify known CVE signatures. They cannot detect vulnerability classes that require understanding what your application is supposed to do, and testing whether it can be made to do something else.

Business logic vulnerabilities

A user transferring funds from another account

Authentication state bypass

Accessing resources without proper session validation

Chained low-severity findings

Multiple minor issues combining into a critical exploit

Race conditions

Timing-dependent flaws in concurrent operations

Contextual privilege escalation

Abusing role-based access through unexpected paths

IDOR and BOLA

Insecure direct object references bypassing authorisation

Compliance Mapping

Which Standards Require Which Service

Exact clause references for the UK compliance standards most likely to drive your testing requirements.

StandardPCI DSS v4.0
ScanningRequired: quarterly ASV scans (external)
Pen TestingRequired: annual internal and external
ClauseReq 11.3.1 (ext), 11.3.2 (int)
StandardISO 27001:2022
ScanningRecommended (Annex A.8.8)
Pen TestingStrongly recommended (Annex A.8.8)
ClauseA.8.8 Management of technical vulnerabilities
StandardCyber Essentials Plus
ScanningRequired: CE Plus includes verified scanning
Pen TestingAdvised: not mandatory but strongly recommended
ClauseNCSC CE+ scheme
StandardDORA (FCA-regulated)
ScanningRequired: continuous vulnerability identification
Pen TestingRequired: threat-led penetration testing (TLPT)
ClauseArticle 26 (TLPT), Article 25 (ICT risk)
StandardUK Cyber Security Resilience Bill
ScanningAnticipated for in-scope operators
Pen TestingAnticipated for in-scope operators
ClauseDraft guidance pending (2025 to 2026)
StandardNHS DSPT
ScanningRecommended (Mandatory Evidence Standard 7)
Pen TestingRequired for higher-scoring organisations
ClauseDSPT Mandatory Evidence Standard
Decision Framework

Which Do You Need?

Use this framework to determine the right service for your situation before commissioning either.

Scanning

You need vulnerability scanning if:

  • You manage more than 20 networked devices or cloud workloads
  • Your infrastructure changes frequently and needs continuous monitoring
  • Your cyber insurance requires documented scanning evidence
  • You want continuous visibility between annual penetration tests
  • You need a cost-effective way to track patch compliance over time
Pen Testing

You need a penetration test if:

  • Your compliance standard explicitly names penetration testing (PCI DSS, ISO 27001, DORA)
  • You are launching a new application or completing a significant infrastructure change
  • Your board needs assurance beyond automated tool output
  • You have not had a manual test in the past 12 months
  • An insurer, client, or auditor has asked for a penetration test report
Both (Recommended)

You need both if:

  • You are subject to PCI DSS, ISO 27001, or DORA
  • You operate in financial services, healthcare, or legal sectors
  • Your cyber insurance premium is tied to documented security testing
  • You want a mature, closed-loop security programme for clients and prospects
  • You are tendering for public sector contracts requiring CREST-accredited evidence
Complete Coverage

Combine both for
closed-loop security.

Our MDR service includes continuous vulnerability scanning alongside 24/7 threat monitoring, complementing your annual penetration tests with year-round security visibility. Together, they form a closed-loop security programme.

Explore MDR Services

Continuous Scanning

Managed vulnerability scanning with false positive triage and monthly reporting.

Annual Pen Testing

CREST-accredited manual testing to satisfy compliance requirements.

24/7 Monitoring

Eyes-on-glass threat detection between annual penetration tests.

Compliance Ready

Evidence pack satisfying ISO 27001, PCI DSS, and DORA simultaneously.

Free Scoping Call

Stop Guessing. Get Clarity.

A 15-minute call with a CREST consultant will confirm exactly which combination of scanning and penetration testing your compliance programme requires. No obligation. No sales pressure.

Book Your Scoping Call
View Pricing Guide
CREST Accredited
Both Services Available
15-Minute Response

Frequently Asked Questions

Common questions about the differences between vulnerability scanning and penetration testing.

For most organisations, no. Vulnerability scanning is essential for ongoing cyber hygiene, identifying unpatched systems and misconfigurations at scale. But it cannot find the complex logic flaws, chained exploits, and business process vulnerabilities that attackers actually exploit. It also cannot assess the real-world impact of a breach. Both disciplines serve different, complementary purposes.

The terms are frequently used interchangeably by vendors, but they are not identical in compliance contexts. A vulnerability scan refers specifically to automated tool output: a list of known CVEs and misconfigurations detected by software. A vulnerability assessment may include scanning but typically also involves manual review, prioritisation by business context, and a risk narrative. When a compliance standard specifies 'penetration testing' (as PCI DSS Requirement 11.3 and ISO 27001 Annex A.8.8 both do), neither a scan nor a vulnerability assessment satisfies the requirement. Only a manual penetration test conducted by qualified human experts does.

Managed vulnerability scanning for a mid-market UK organisation typically starts from £300 to £800 per month depending on asset count and reporting frequency. Enterprise scanning tool licences (Qualys, Nessus, Rapid7) range from £15,000 to £50,000 or more per year before staff time for triage. A scoped penetration test covering an external network perimeter or web application typically costs £3,000 to £8,000. Infrastructure-wide assessments or red team exercises run £10,000 to £30,000 or more.

ISO 27001:2022 Annex A.8.8 (Management of technical vulnerabilities) requires organisations to identify, assess, and remediate technical vulnerabilities in a timely manner. While it does not prescribe specific testing methods, certification body assessors increasingly expect evidence of both: regular automated scanning to demonstrate ongoing hygiene, and periodic manual penetration testing to provide depth-of-assurance.

Penetration testing requires highly skilled human consultants who apply creative, contextual thinking to find vulnerabilities that automated tools cannot detect by design. It involves manual effort, expertise built over years of practice, and days of dedicated focus on your specific environment. Vulnerability scanning is an automated software process that scales cheaply across many targets simultaneously.

Best practice (and most compliance standards) dictates the following: vulnerability scanning should be continuous or at minimum monthly, covering your full asset inventory. Penetration testing should be conducted at least annually, or after significant changes to infrastructure, applications, or business processes. For organisations subject to PCI DSS, quarterly external ASV scanning is a specific requirement alongside annual penetration testing.

No. A scanner does not know what your application is designed to do. It cannot identify that a 'transfer funds' function enables a user to move money from someone else's account. It cannot detect that a sequence of individually low-risk actions chains together into a critical privilege escalation. Only a human tester who understands the application's purpose and business context can identify these vulnerability classes.

We provide both. Our managed vulnerability scanning service handles tool configuration, scheduled scanning, false positive triage, and monthly reporting, delivering an auditor-ready output without requiring in-house tooling or specialist staff. Our CREST-accredited penetration testing covers web applications, external and internal networks, cloud infrastructure, mobile applications, and red team operations. We recommend combining both for a comprehensive, compliance-ready security posture.