Fresh Thoughts #58: Vulnerability Scans or Pen Tests?

Gap in rock formation

Cybersecurity is full of thorny questions.
Last week one arose in a discussion around cyberinsurance.

Vulnerability Scans or Pen Tests?

Last week I was helping prepare a cyber insurance questionnaire, and a thorny question arose - What's the difference between a vulnerability scan and a penetration test?

The cyber insurer asked for the results of a penetration test as a baseline evaluation of a company's security posture. At first glance, this seems like a reasonable request - but there's some context to consider...

Running a penetration test as a first evaluation is like asking a 16-year-old to complete a university entrance exam - and then reporting back all the topics they don't know.

Is it surprising that there are gaps in knowledge - before - two years of focused study? Personally - I think not.

The question we pose at Fresh Security is - How do our customers discover areas of weakness in the most cost-efficient way possible? The answer isn't a penetration test.

In the past, when I ran IT infrastructures, the quotes I received for a penetration test were typically around £10,000. More recently, I was quoted that - per day. This, of course, varies based on the scope and complexity of the task, but needless to say - penetration tests aren't cheap.

If you're looking for a list of areas of security weakness - like most need at the start of a new cybersecurity program - a vulnerability can provide a solid baseline at a 10x to 30x lower cost.

And so...

What's the difference between a vulnerability scan and a penetration test? Are both needed?

Vulnerability scans and penetration tests (or pen tests) are both valuable ways to find gaps in your security. At a high level, vulnerability scans probe systems and networks using standard protocols to gather responses. This response may include details about the version of an operating system or application that is running.

From there, the data is used to query an extensive database of known weaknesses and vulnerabilities to match potential issues and concerns. As the process is relatively simple - once designed - vulnerability scanners can be automated and cost-effective.

In contrast, penetration tests involve skilled experts or "ethical hackers" who exploit weak spots to test your overall security. The first step is likely the same - discovering what systems and networks are within scope. And much like the initial vulnerability scan - known weaknesses and exploits are reported.

Where penetration tests differ - is that they go further. Penetration tests simulate actual attacks and may exploit weaknesses in processes and your team's behaviour.

When should I use a vulnerability scan vs a penetration test?

The timing of vulnerability scans and pen tests depends on the maturity of your cybersecurity program:

  • Early stage (low maturity): If you're starting your cybersecurity journey, you should focus on setting up essential security tools in the early stage. These are things like antivirus, MFA and backups of business-critical data. Regular vulnerability scans will help prioritise efforts to find and fix known weak points. At this stage, penetration tests may not be a priority. But - if directly requested - they can provide an initial review to pinpoint high-risk gaps that need urgent attention.
  • Mid-stage (medium maturity): Regular scans should continue as your program matures and you have completed all the foundational tasks. Additionally, you can add penetration tests to security reviews - to find flaws in security tools, test response plans and reveal gaps missed by automated vulnerability scans. At this stage, pen tests will likely be done yearly or after fundamental changes to systems or apps.
  • Late stage (high maturity): You can increase the effort when your company has clear security policies and processes in a mature cybersecurity program. Vulnerability scanning should continue regularly, and you can increase pen test frequency to two or four times a year - focusing on your most business-critical IT assets. This is often the highest level of maturity reached by many organisations.

However, you'll need an active cybersecurity program if you're working in a high-risk industry - such as banking or finance. This program will include ongoing vulnerability scans and frequent pen tests, aiming to mimic actual attacks, spot new threats, and continually improve security.

Final Thoughts

Value for money and return on spend are often overlooked when it comes to cybersecurity tools and processes.

Without a doubt, penetration tests find more nuanced vulnerabilities and offer greater assurance than vulnerability scans. This is ideal for mature cybersecurity programs. But in your early journey, the question must be - at what cost?

In contrast, vulnerability scans provide a cost-efficient starting point - and continue to be vital in a maturing program. They can only test some aspects of security programs. But, they offer an excellent overview and prioritisation method early in your cybersecurity journey.

March 21, 2023
4 Minutes Read

Related Reads

woman holds up stop hand

Fresh Thoughts #48: Are Cyber Attacks "Uninsurable"?

The headlines say, "Cyber attacks set to become 'uninsurable', says Zurich chief"... But is this real or clickbait?

Fresh Thoughts to Your Inbox

Fresh perspectives on cybersecurity every Tuesday. Real stories, analytical insights, and a slash through buzzwords.

We'll never share your email.

Subscribe to Fresh Thoughts

Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

We'll never share your email.


Fresh Security Support

Your Questions


Fresh Sec Limited

Call: +44 (0)203 9255868