Pentest or vulnerability scan? The difference you won’t see on the invoice

“We ran a pentest” is a sentence that, 60% of the time, means “we ran a scanner and sent a PDF”. That is not a pentest.

Vulnerability scan

• Automated, repeatable, cheap.
• Finds known CVEs and misconfigurations.
• Does not chain findings into attack paths.
• Does not understand business logic.

Pentest

• Manual, performed by a human.
• Chains findings into real paths: from an unauthenticated user to your data.
• Tests business logic: authorization bypass, IDOR, race conditions.
• Delivers proof: screenshots, reproduction steps, business impact.

When you need which

Scan: monthly, as hygiene. Pentest: before production, after major changes, yearly for critical systems, always before a NIS2 / DORA / ISO 27001 audit.