← ALL POSTS
CYBERSECURITY EXPLAINER

Vulnerability scans vs penetration tests: which first

This usually comes up one of two ways. Either a cyber insurance application asks whether you run vulnerability scans and penetration tests, or a big customer's security questionnaire does. Suddenly you're getting quotes that range from a couple hundred dollars to twenty grand for things that sound like the same service. They are not the same service, and doing them in the wrong order wastes money. Here's the difference and where to start.

The smoke detector and the break-in drill

A vulnerability scan is automated. Software (Tenable Nessus, Qualys, OpenVAS, and similar) probes your systems and compares what it finds against a database of known weaknesses: missing patches, outdated software versions, weak encryption settings, default credentials, open ports that shouldn't be open. It runs in hours, produces a report, and you can run it every month. It's a smoke detector: cheap, always on, catches the common stuff.

A penetration test is a human being paid to break in. A tester takes the same starting information an attacker would have and actively tries to chain weaknesses together: exploit a flaw, land on a machine, steal credentials from it, move to the next machine, reach the payroll data. A scan tells you a window latch is weak. A pentest tells you someone climbed through that window, walked to your office, and opened the safe, and shows you the photos. It's a break-in drill.

What each one costs and how often to do it

Rough numbers, because scope moves them around:

One warning: some vendors sell an automated scan with a fancy cover page as a "penetration test." If the deliverable arrived within a day or two and nobody talked to you about scope, rules of engagement, or what they actually accomplished, you bought a scan at pentest prices.

Which first? The scan. Almost always.

A pentest against a network that has never been scanned is a waste of the tester's day and your budget. They'll walk in through a missing patch a $200 scan would have flagged, write it up, and go home. You'll have paid pentest rates to learn scan-level findings.

The sequence that gets you value:

  1. Scan. Run external and internal vulnerability scans. Expect an ugly first report. That's normal.
  2. Fix. Work the critical and high findings. This is patching, retiring dead software, closing ports, changing default passwords. Usually a few weeks of effort.
  3. Scan again. Confirm the fixes landed, then keep scanning on a schedule so you don't drift backwards.
  4. Then pentest. Now the tester has to actually work, and the findings will be things automation can't see: business logic flaws, credential reuse, paths between systems nobody realized were connected. That's what the money is for.

What insurers and customers actually ask for

Cyber insurance applications have gotten pickier. Most now ask directly about MFA, backups, and endpoint detection, and many ask whether you perform "regular vulnerability scanning" and "periodic penetration testing." For most small-business policies, documented monthly scanning plus an annual pentest (or sometimes just the scanning, at smaller revenue tiers) satisfies the question. Answer honestly; misstatements on these applications have been used to deny claims.

Compliance frameworks are more specific. PCI DSS requires quarterly external scans by an approved vendor plus annual penetration testing for most merchants above the smallest tier. SOC 2 auditors expect to see scanning as a routine control and usually a recent pentest report. HIPAA doesn't name either tool but requires a risk analysis that, in practice, both support.

Enterprise customers running vendor security reviews almost always ask for the date and executive summary of your last penetration test. Having a report less than twelve months old, with evidence you fixed the findings, closes that question fast.

How to know it's done right

You're in good shape when you can say yes to all of these. Scans run on a schedule automatically, not when someone remembers. Critical findings get fixed within days and there's a record of it. Your last pentest was performed by a named human at a firm you can call, under a written scope, and the report includes what they tried and failed at, not just what they found. And the pentest findings turned into completed tickets, not a PDF in a drawer.

If you're starting from zero, start with the scan this month. It's the cheapest security information you will ever buy, and it makes everything after it worth more.

Stuck on this, or want it done for you? That's the job.

Email us →
RELATED READING
The first 24 hours after a breach: what to do, in order Explainer
How to actually test your backups: a restore drill Step-By-Step Guide
Testing that fits a small app budget Explainer
Dark web monitoring: useful signal or scare tactic? Explainer
Do you still need a VPN? Explainer
NO FORMS. JUST EMAIL.
mason@hurbs.io
or (832) 457-4317, LA and Houston