Two terms that are often confused — but are fundamentally different things. Understanding the difference helps you make better decisions for your IT security.
What Is a Vulnerability Scan?
A vulnerability scan is an automated assessment of your systems for known weaknesses. The software connects to your servers, identifies installed services and software versions, and compares them against databases of known vulnerabilities (CVEs).
Characteristics:
- Automated, runs without manual intervention
- Takes minutes to a few hours
- Checks thousands of known vulnerabilities simultaneously
- Can be repeated regularly (weekly, monthly)
- Cost: CHF 100-500 per month (platform subscription)
- Result: report with prioritised vulnerabilities and recommended actions
What Is a Penetration Test?
A penetration test (pentest) is a manual assessment carried out by a security specialist. The tester attempts to break into your systems like a real attacker — with creativity, experience and tools that go beyond automated scans.
Characteristics:
- Manual, performed by certified specialists (e.g. OSCP, CISSP)
- Takes days to weeks
- Also finds logical flaws and business logic vulnerabilities
- Performed once or annually
- Cost: CHF 5’000-20’000 per assessment
- Result: detailed report with attack scenarios and proof of exploitation
The Key Difference
A vulnerability scan finds known problems quickly and broadly. A pentest also finds unknown problems, but in a targeted and expensive way.
An example: the vulnerability scan detects that your Exchange server has a known CVE and no patch is installed. A pentester would additionally check whether the internal mail forwarding is configured in a way that allows an attacker to use this CVE to access management emails.
Both have their place. But the order matters.
What Comes First?
Many companies commission a penetration test before they have ever run a vulnerability scan. That is like hiring an interior designer to renovate your flat while the roof is still leaking.
The recommended order:
- Regular vulnerability scans (continuous, automated) — Finds and closes the known gaps
- Penetration test (1-2x per year, manual) — Tests what the scanner does not find: logic errors, complex attack chains, social engineering
- Another vulnerability scan after the pentest — Verifies that the findings have been remediated
The scan ensures basic hygiene. The pentest provides depth. Without basic hygiene, the pentest is wasted money — half the findings would be things an automated scan would have caught too.
What Does Each Cost?
| Vulnerability Scan | Penetration Test | |
|---|---|---|
| Cost | CHF 100-500/month | CHF 5’000-20’000 one-time |
| Frequency | Weekly to monthly | 1-2x per year |
| Coverage | Thousands of known CVEs | Focused on defined targets |
| Duration | Minutes to hours | Days to weeks |
| Specialist needed? | No | Yes |
| Annual cost | CHF 1’200-6’000 | CHF 5’000-20’000 |
For most SMEs, a regular vulnerability scan is the most cost-effective measure. A pentest is worthwhile in addition when specific systems (e.g. online shop, customer portal, financial application) are particularly critical.
It Is Not Either/Or
The strongest combination is a continuous vulnerability scan as the foundation, supplemented by targeted pentests for critical systems.
The scan runs automatically in the background and raises the alarm when something changes. The pentest delivers depth where it really counts.
Conclusion
If you do not have a regular vulnerability scan today, start there. It is the fastest and most cost-effective way to measurably improve your IT security.
ExposIQ combines 35+ scan engines with 64’000+ CVE checks and delivers clear reports in German, French, Italian and English. Set up in 5 minutes, no specialist knowledge required.
Need a penetration test as well? Get in touch — with over 30 years of experience and hundreds of completed pentests, we are happy to advise you: info@exposiq.ch
