What is the difference between a penetration test and a vulnerability scan?

First of all, let me make this clear, in the context of this article when I use the term penetration test or vulnerability scan I am referring to an Information Technology infrastructure such as software, operating system, network interfaces etc.

The easiest way to see what the difference is between a penetration test and a vulnerability scan is by comparing the definitions. A problem which then arises is which definitions do we adhere to?

Definitions of penetration test and vulnerability scan

There are quite a few different definitions we can adhere to. In order to keep things relatively simple, I will stick to the Wikipedia definition:

A penetration test, colloquially known as a pen test, is an authorised simulated attack on a computer system that looks for security weaknesses, potentially gaining access to the system’s features and data.

Unfortunately I could not find a similar Wikipedia entry for vulnerability scans, so I have tried to make that one up myself:

A vulnerability scan is an automated process supported by means of a vulnerability scanner (computer software), which produces a report with all potential vulnerabilities in a given part of IT infrastructure.

As the names already indicate, one is a test, whereas the other is a scan.

The difference explained

Let me start with the scan, a vulnerability scan is a, mostly, automated process. The scanner is a piece of software that can work in a manner of ways. There are spidering scanners but also scanners that work as a proxy between a browser and the target system, recording the users actions. These actions are then later replayed by the scanner and all actions are tested on possible vulnerabilities. In a vulnerability scan you let a tool do the work for you, the tool generates a bunch of results which can then be used to create a report for the client who requested the scan.

Likewise it is possible to state that a penetration test is just that, a test. Testing is a cognitive activity, you need to use your creativity in order to execute a proper penetration test. Of course you can use the outcomes of a scan as input or inspiration for your penetration test. In a penetration test you actually try to prove that any potential vulnerability is indeed a true security risk and can lead to a breach. During a penetration test, the tester is actively searching for ways to exploit vulnerabilities in the IT infrastructure. Generally a penetration test will have constraints such as a clearly defined goal, quite often a clear timebox in which the tests can be executed and limitations to what part of  the IT infrastructure under test is allowed to be tested for vulnerabilities.

So far so good, right?

The difference between a vulnerability scan and a penetration test is that a penetration test requires a lot of knowledge, by the tester, about how to exploit possible vulnerabilities, testing for these exploits takes up a lot of time and effort. Reporting on them also takes up a lot of time, since you need to be able to explain what you did, with what purpose and what was the result and how or why is this result not a desired behaviour of the application. On top of that, with a good penetration test report, you also advice on how to mitigate or limit the risks involved with the vulnerability. Ideally you even propose a solution to fully close the vulnerability.
A vulnerability scan however, takes up a lot less effort and time, the main time is used up by the scanner (Nikto, ZAP, BurpSuite etc.) to actually scan for vulnerabilities. The tool generates a report, which you then rewrite into something human readable and understandable. There are no actual exploits reported, so the possibility of having (and reporting) false positives, or worse, false negatives, is very high.

So, when requesting a penetration test, be sure what to look for and what to expect in the reporting. If you do not receive any clear proof that vulnerabilities were indeed tested and hopefully exploited succesfully, if there are no proper suggestions on how to resolve these vulnerabilities, you can assume you received a vulnerability scan rather than a proper penetration test.