Security managers, IT leaders and product teams keep running into the same procurement question: do we need a vulnerability assessment, ongoing vulnerability management, or a penetration test? Usually the answer is more than one. Each service answers a different question about risk, and each has strengths and limits.

This guide covers what each service finds, how automated scanning differs from manual exploitation, when to use each, what to expect from reporting and retesting, common scoping mistakes, how the work maps to Cyber Essentials, ISO 27001 and UK GDPR, and how to combine both within a practical security programme.

What each service is and what it finds

Vulnerability assessment

A vulnerability assessment (VA) uses automated scanners and structured checks to identify known weaknesses in systems, networks or applications. It focuses on missing patches, insecure configurations, open services and known CVEs.

It typically finds unpatched software, misconfigured firewalls and network services, default or weak credentials detectable by rule-based checks, and known application vulnerabilities that map to scanner signatures.

A VA gives you broad, repeatable coverage. It's fast and well-suited for continuous vulnerability management. But scanners produce false positives (and false negatives), offer limited context about whether a vulnerability is actually exploitable, and rarely chain issues together to show a realistic attack path.

Penetration testing

Penetration testing is an authorised, manual exercise where qualified testers simulate an attacker. They use creative techniques to discover and exploit vulnerabilities and demonstrate real-world impact. Tests may cover external or internal networks, web applications, APIs, cloud configurations or social engineering scenarios.

Pen tests typically surface exploitable vulnerabilities with proof of impact, business logic flaws that scanners miss entirely, chained attack paths and privilege escalation routes, and gaps in detection and response controls.

The strength of a pen test is in showing whether a vulnerability can actually be exploited and what the business consequences look like. The trade-off: it's a point-in-time snapshot, typically narrower in scope than an automated scan, and it requires skilled testers. For high-assurance engagements, CHECK or CREST accreditation may be expected.

Vulnerability management (the ongoing discipline)

Worth distinguishing vulnerability management from a one-off assessment. Vulnerability management is a continuous programme: scanning, triaging, prioritising, remediating and verifying on a repeating cycle. A vulnerability assessment is one input into that programme. Organisations that treat a single scan as "done" miss the point. The value comes from sustained, risk-prioritised remediation over time.

How automated scanning differs from manual exploitation

This distinction is central to buying the right service.

Breadth vs depth. Automated scanners cover large numbers of hosts quickly. Manual testing confirms exploitability, tests complex logic and assesses business impact.

Noise and accuracy. Scanners may report hundreds of issues that need triage. Manual testing reduces false positives by proving whether a vulnerability can be exploited in practice, but costs more per finding.

Discovery vs demonstration. Scanners discover candidate problems. Penetration testers demonstrate real attack chains and quantify impact. For example, they might show that a misconfigured API combined with a privilege escalation flaw gives an attacker access to customer data.

Continuous vs point-in-time. Scans can and should run regularly as part of vulnerability management. Pen tests are typically scheduled events: annually, after major changes, or before a high-risk launch.

Many penetration testing tools are also used during vulnerability assessments. The difference is how they're applied. A scanner runs predefined checks. A tester uses tools alongside manual techniques, adapting their approach based on what they find.

When to use each

Use vulnerability assessments when

• You need continuous, automated coverage of a large or rapidly changing estate.
• You want to feed results into a patching and risk-prioritisation workflow.
• You must demonstrate baseline hygiene and meet internal SLAs for remediation.
• You're building evidence for Cyber Essentials or maintaining an ISO 27001 ISMS.

Use penetration testing when

• You need to understand business impact and exploitability for critical assets: customer-facing web applications, APIs, cloud workloads, Active Directory environments.
• You're preparing for a regulated tender, a public-sector contract, or a high-risk product launch.
• You have complex attack surfaces (microservices, containers, SaaS integrations) or suspect gaps that scanning alone won't reveal.
• You need to test internal vs external attack paths separately to understand different risk profiles.

Use both together when

• You maintain a mature security programme and want continuous scanning for triage alongside periodic pen tests for validation.
• Procurement requires both Cyber Essentials Plus and evidence of targeted testing for higher-risk services.
• You want scan findings to inform test focus, and test findings to feed back into vulnerability management.

Reporting and retesting expectations

Vulnerability assessment reports

Expect a list of findings mapped to affected hosts, with raw scanner output and prioritised remediation recommendations. You'll also get metrics: counts by severity, age of vulnerabilities, trend lines and patching performance over time. Retesting is usually automated. Re-scans after remediation confirm fixes, and continuous scanning shows status changes.

Penetration testing reports

A good pen test report should include an executive summary with business impact written for non-technical stakeholders, detailed technical findings with proof (screenshots, exploit logs, reproducible steps), attack chains showing how individual issues were combined for meaningful impact, a clear severity scheme (CHECK-level HIGH/MEDIUM/LOW ratings or CVSS scores with business-impact context), and actionable remediation steps your team can implement without guesswork.

A live debrief walkthrough is common and genuinely useful for bridging the gap between technical and business audiences. The NCSC recommends a model engagement that includes scoping, testing, reporting and follow-up, with severity ratings and remediation guidance throughout.

Retesting should ideally be included in the engagement. For critical flaws, retesting within weeks is typical. For lower-priority issues, retests often get scheduled as part of the next test cycle.

Common scoping mistakes and how to avoid them

Scoping is where many engagements go wrong. These are the mistakes we see most often:

1. Leaving out stakeholders. If business risk owners or technical subject-matter experts aren't involved, you end up with unclear success criteria and missed test targets. Hold a scoping workshop with risk owners, IT, product leads and the testing team before work begins.

2. Over- or under-scoping. Too large a scope dilutes value. Too narrow a scope misses critical paths. Focus on critical assets and dataflows, and include key third-party integrations where possible.

3. Not sharing existing results. If you don't provide recent scans or known issues, you create duplication and waste test time. Supply the vendor with your latest vulnerability scan exports and known exceptions, and ask them to verify or focus on proof-of-exploit.

4. Ignoring rules of engagement. Without clear agreement on business hours, test accounts and out-of-scope hosts, you risk disruption. Formalise these in the scope document along with escalation contacts.

5. Confusing compliance with assurance. Commissioning a CE+ assessment or a baseline scan and calling it a penetration test is a common mistake. Match the activity to the objective: certification, hygiene verification and exploitation-based assurance are different things.

How the work relates to Cyber Essentials, ISO 27001 and UK GDPR

Cyber Essentials

Cyber Essentials (CE) is a UK government-backed scheme that verifies five baseline technical controls: firewalls, secure configuration, user access control, malware protection and patch management. Industry guidance suggests these five controls address roughly 80% of common internet-based threats, which underlines the scheme's value and its baseline nature.

CE is self-assessed. CE+ includes independent technical verification but remains a baseline check, not a substitute for a penetration test. A practical approach: achieve CE to demonstrate baseline hygiene, use CE+ for sampled technical verification, and commission pen tests to assess attack scenarios beyond CE's scope.

ISO 27001

ISO 27001 requires a risk-based approach to controls and evidence of technical assurance where risks warrant it. Penetration testing feeds into an ISMS as a measure to manage identified risks, support internal audits and demonstrate continual improvement. Organisations transitioning to ISO/IEC 27001:2022 should note that updated controls now better reflect cloud and data-privacy needs. Pen testing remains a relevant way to demonstrate control effectiveness.

UK GDPR

The UK GDPR requires appropriate technical and organisational measures to protect personal data. There's no prescriptive list of required activities, but the ICO expects proportionate security, including testing and verification of measures, especially where processing is high risk.

Well-scoped pen tests and an active vulnerability management programme are reasonable evidence that you considered security risks when processing personal data. Testing alone isn't sufficient, though. Remediation, logging, access controls and incident response all matter. This guide does not constitute legal advice; organisations should seek appropriate counsel for specific compliance questions.

A practical buying checklist

Before you buy

• Define your objective: compliance, assurance, breach simulation or remediation verification.
• Identify critical assets and dataflows to include in scope.
• Decide on deliverables: technical report, executive summary, debrief and retest window.
• Require accreditations where appropriate. CHECK or CREST for public-sector and critical national infrastructure work; relevant cloud or application experience for complex environments.
• Share existing scans, architecture diagrams and details of recent major changes.

Contract and rules of engagement

• Agree testing windows and blackout periods.
• Define escalation contacts and procedures for accidental disruption.
• Clarify out-of-scope hosts, test data handling, evidence retention and disclosure expectations.

Evaluating providers

Look for technical competence and relevant experience across cloud, application and infrastructure testing. Their methodology should align to CREST or NCSC guidance. Ask for anonymised case studies or references from similar engagements. Pay close attention to reporting quality: can they show actionable remediation, reproducible proof and business-impact context?

Combining both in practice

Neither vulnerability assessments nor penetration tests are sufficient on their own. The 2024 Verizon DBIR highlights a continued rise in exploitation of known vulnerabilities as an initial access vector. That's precisely the kind of issue continuous scanning should catch early and pen testing should validate in context.

A mature approach looks like this:

• Run continuous scanning and patching as part of a vulnerability management programme, with clear SLAs for remediation by severity.
• Use risk-based prioritisation that considers business impact, not just CVSS scores.
• Schedule penetration tests to validate controls, test complex attack paths and verify that remediation has worked.
• Feed pen test findings back into your vulnerability management process and ISMS.
• Update threat models after each test cycle, tune detection rules to cover gaps found by testers, and run regression scans to confirm fixes hold.

The UK Cyber Security Breaches Survey 2024 provides useful benchmarking data on how organisations adopt basic controls and testing. It's worth reviewing to see where you sit relative to peers.

Vulnerability assessments and penetration tests are complementary. Use automated scanning to stay on top of known issues at scale. Use penetration testing to validate exploitability, demonstrate business impact and test complex attack paths. Align both with Cyber Essentials, ISO 27001 and GDPR expectations, and treat them as recurring elements within a risk-based security programme, not one-off exercises.