Penetration test or vulnerability scan: the difference, and what your organisation needs under NIS2
Published on July 11, 2026
Sooner or later the question lands on the table, from the board, in a supplier questionnaire or from your insurer: "has a penetration test been performed?" And somewhere else in the same conversation the term vulnerability scan comes up, as if it were the same thing. It is not. Those who confuse the two easily buy the wrong instrument, or pay pentest rates for something a scan can do cheaper and more often.
This article explains the difference in decision-maker language: what each instrument does and does not do, what it costs, what NIS2 actually says about it and in what order to deploy them sensibly.
What is a vulnerability scan?
A vulnerability scan is an automated examination of your systems for known vulnerabilities, outdated software and configuration errors. An external scan looks at your organisation the way an attacker does: which domains, servers and services are exposed to the internet, what software runs there, and which of it has known weaknesses? What such an outside view reveals is covered in what does an attacker see of your domain.
The strength of a scan lies in three properties:
- Breadth. A scan examines your entire external attack surface, including the systems you had forgotten about. In practice, that shadow IT often turns out to be the weakest spot.
- Repeatability. The same scan can run weekly or monthly. That makes trends and remediation visible: has last month's finding been resolved?
- Price. Because it is automated, continuous scanning costs a fraction of a single penetration test.
The limitation is equally clear: a scan finds what is known and measurable. It does not chain creative attack paths together and does not assess business logic.
What is a penetration test?
A penetration test is manual research by a specialist who, within an agreed scope and with your written permission, actively tries to break in. A good pentester does what no scanner can: combine weaknesses into an attack path, find logical flaws in applications and assess what a motivated attacker would achieve in your specific situation.
On the other side of the ledger:
- Snapshot. The report describes the situation of that week. Six months later, new vulnerabilities have been published and your infrastructure has changed.
- Scope. A pentest examines what has been agreed, usually one application or environment. Whatever falls outside the scope remains untested.
- Price. Expect several thousand to tens of thousands of euros per engagement, depending on size and depth.
In the Netherlands, penetration testing is being standardised through the MIAUW methodology, which originated in the same open ecosystem as OpenKAT. When procuring a pentest, asking for a standardised methodology and traceable evidence is a good selection criterion.
The difference in one table
| Vulnerability scan | Penetration test | |
|---|---|---|
| Execution | Automated | Manual, by a specialist |
| Coverage | Entire external attack surface | Agreed scope |
| Depth | Known vulnerabilities and configuration | Attack paths, business logic, creativity |
| Frequency | Continuous (weekly/monthly) | Once a year or after major changes |
| Cost | Tens to hundreds of euros per month | Thousands to tens of thousands per engagement |
| Result | Current, repeatable picture with trends | Deep snapshot with proven impact |
What does NIS2 actually say about this?
Less than vendors would like you to believe. NIS2 and the Dutch Cybersecurity Act that enters into force on 15 August 2026 do not mandate a pentest or a scan by name. The law requires appropriate and proportionate measures to manage risks, and the ability to demonstrate those measures, including towards your supply chain.
For you as a decision-maker, that means two things. First: anyone selling you a product as "mandatory under NIS2" is selling urgency, not facts. Second: the regulator and your large customers look at demonstrability over time. One pentest report from 2025 does not demonstrate that you are managing your risks today. Why even a good scan does not amount to compliance on its own is explained in scanning is not NIS2 compliance.
What does your organisation need, and in what order?
For most organisations the order is not a dilemma but a progression:
- Start with a scan of your external attack surface. That is the cheapest way to find the basic problems: forgotten subdomains, outdated software, exposed admin interfaces. Leave those in place and you will later pay a pentester specialist rates to write them up.
- Turn it into continuous monitoring. Your attack surface changes constantly; vulnerability monitoring keeps the picture current and builds dated evidence for auditors, customers and insurers.
- Deploy a penetration test in a targeted way. On your crown jewels: the customer portal, the integration handling personal data, a new application before go-live. That way the specialist tests depth where it is worth the most, instead of your overdue basic hygiene.
- Repeat. An annual or biennial pentest on a rotating scope, with the continuous scan as the foundation in between.
That way you use each instrument for what it is good at, and you can give a concrete answer on every supplier questionnaire. How to answer such a question about "patch management and penetration testing" convincingly is covered in how to answer a NIS2 supplier questionnaire.
Conclusion
A penetration test and a vulnerability scan do not compete, they stack. The scan delivers breadth, continuity and affordable, dated evidence; the pentest delivers depth in the places where the impact is greatest. If you only have one budget line, start with the scan, because without visibility of your attack surface the pentester will end up testing the wrong thing.
Exposentry is deliberately that first instrument: a continuous vulnerability scan of your external attack surface, built on OpenKAT, with forensically substantiated reports you can use directly as evidence. Not a pentest, and we say so plainly. See the plans and pricing or start with a baseline scan.
Written by Edward Hasekamp, founder of Exposentry and core maintainer of the open-source OpenKAT project. See the project on GitHub and the profile at github.com/hasecon. Exposentry provides EU-sovereign, forensically substantiated vulnerability monitoring based on OpenKAT. More articles in the Knowledge base.