Penetration testing and vulnerability scanning are often used interchangeably — even by IT vendors who should know better. They are not the same thing. They answer different questions, produce different outputs, and are suited to different situations. Confusing them can lead to organisations believing they are more secure than they are.
This guide explains what each one actually does, what the output looks like, what it costs, and how to decide which one your business needs — or whether you need both.
| Question | Vulnerability Scan | Penetration Test |
|---|---|---|
| What does it do? | Identifies known weaknesses using automated tools | Attempts to exploit weaknesses using human skill and judgment |
| Who does it? | Automated scanner (tool-driven) | Human security professional (skill-driven) |
| What does it find? | Known vulnerabilities with CVE identifiers | Exploitable vulnerabilities, logic flaws, chained attack paths |
| Can it show real-world impact? | No — reports potential risk only | Yes — demonstrates what an attacker could actually achieve |
| Finds configuration issues? | Partially — common misconfigurations only | Yes — including custom and business-logic issues |
| Typical duration | Hours to a day | 3–10 days depending on scope |
| Typical cost | $500–$2,000 | $3,000–$15,000+ depending on scope |
| Report usefulness for auditors | Limited — often generic | High — evidence-based, specific to your environment |
| ACSC Essential Eight evidence | Supports patching compliance evidence | Required evidence for higher maturity levels |
| APRA CPS 234 evidence | Supports control testing documentation | Core evidence for APRA examiner review |
A vulnerability scanner is an automated tool that checks your systems against a database of known vulnerabilities. It connects to your network (or scans your internet-facing infrastructure externally), identifies running software and services, and cross-references them against the National Vulnerability Database (NVD) and vendor advisories.
The output is a list of identified vulnerabilities, each assigned a CVE number and a severity rating (Critical, High, Medium, Low). A typical scan of a mid-sized Australian business might return hundreds of findings — many of which will be informational or low-severity, with a smaller number requiring urgent action.
A penetration test is a structured engagement where a skilled security professional attempts to compromise your systems — with your permission. The tester uses automated tools as a starting point, but the core work is manual: researching your environment, identifying potential attack paths, attempting to exploit vulnerabilities, and demonstrating what a real attacker could achieve.
The difference is human judgment. A penetration tester can:
A good penetration test report contains two sections: an executive summary for leadership (risk context, business impact, prioritised recommendations) and a technical section for your IT team (specific findings, screenshots as evidence, step-by-step reproduction instructions, and remediation guidance). Every finding is specific to your environment — not a generic automated output.
| Your situation | What you need | Why |
|---|---|---|
| You’ve never tested your environment and want to know your real risk | Penetration test | Vulnerability scanning alone won’t show you exploitability or business impact |
| You need evidence for APRA CPS 234 or ACSC Essential Eight Level 2+ | Penetration test | Both frameworks specifically require testing evidence beyond automated scans |
| Your cyber insurer asked for evidence of security testing at renewal | Penetration test | Insurers want demonstrated control effectiveness, not scan reports |
| You want ongoing visibility into unpatched systems across your environment | Vulnerability scanning | Scanners are ideal for continuous patching compliance monitoring |
| You just deployed a new web application or major system change | Penetration test (web application or external network scope) | Changes introduce new attack surfaces; scanning alone misses custom vulnerabilities |
| You’ve been breached or had a near-miss | Penetration test + dark web assessment | You need to understand the full extent of exposure and identify the entry point |
| You have both regular scanning and want to validate your controls annually | Both | Scanning handles continuous monitoring; annual pen test validates that controls work |
Both penetration testing and vulnerability scanning focus on the technical vulnerabilities in your systems. But one of the most common ways Australian businesses get breached is through credentials that were stolen in previous breaches at other companies — leaked passwords that your staff reuse, or old accounts that were never deprovisioned.
A dark web assessment addresses this gap. It searches breach databases, dark web forums, and data dumps for any credentials, email addresses, or sensitive information connected to your business domain.
This is worth running before a penetration test — because if your credentials are already compromised, a pen tester can use them to access your systems without needing to exploit a single technical vulnerability. Knowing your dark web exposure first helps scope the engagement more accurately and gives you immediate quick wins to action.
Cybernod — Fort1’s dark web assessment tool — runs in 5 minutes and is free.
Cybernod surfaces leaked credentials, breached accounts, and dark web mentions of your business domain in minutes — free, no commitment. It’s the fastest way to understand one of the most commonly overlooked attack vectors before you invest in deeper testing.
Fort1 is an Australian cybersecurity firm based in Sydney. We provide penetration testing, compliance advisory, and dark web monitoring for Australian businesses. If you have questions about whether a vulnerability scan or penetration test is right for your situation, reply to this post or contact us at info@fort1.com.au.
Fort1 provides comprehensive cybersecurity solutions tailored to protect your business from evolving digital threats. With expertise in penetration testing, dark web monitoring, and managed detection services, we empower organisations to stay secure and resilient in the face of modern cyber challenges.
Copyright @2026 Fort1. All Rights Reserved by Fort1.