Back to knowledge base

Penetration test or vulnerability scan: the difference, and what your organisation needs under NIS2

Published on July 11, 2026

Sooner or later the question lands on the table, from the board, in a supplier questionnaire or from your insurer: "has a penetration test been performed?" And somewhere else in the same conversation the term vulnerability scan comes up, as if it were the same thing. It is not. Those who confuse the two easily buy the wrong instrument, or pay pentest rates for something a scan can do cheaper and more often.

This article explains the difference in decision-maker language: what each instrument does and does not do, what it costs, what NIS2 actually says about it and in what order to deploy them sensibly.

What is a vulnerability scan?

A vulnerability scan is an automated examination of your systems for known vulnerabilities, outdated software and configuration errors. An external scan looks at your organisation the way an attacker does: which domains, servers and services are exposed to the internet, what software runs there, and which of it has known weaknesses? What such an outside view reveals is covered in what does an attacker see of your domain.

The strength of a scan lies in three properties:

The limitation is equally clear: a scan finds what is known and measurable. It does not chain creative attack paths together and does not assess business logic.

What is a penetration test?

A penetration test is manual research by a specialist who, within an agreed scope and with your written permission, actively tries to break in. A good pentester does what no scanner can: combine weaknesses into an attack path, find logical flaws in applications and assess what a motivated attacker would achieve in your specific situation.

On the other side of the ledger:

In the Netherlands, penetration testing is being standardised through the MIAUW methodology, which originated in the same open ecosystem as OpenKAT. When procuring a pentest, asking for a standardised methodology and traceable evidence is a good selection criterion.

The difference in one table

Vulnerability scanPenetration test
ExecutionAutomatedManual, by a specialist
CoverageEntire external attack surfaceAgreed scope
DepthKnown vulnerabilities and configurationAttack paths, business logic, creativity
FrequencyContinuous (weekly/monthly)Once a year or after major changes
CostTens to hundreds of euros per monthThousands to tens of thousands per engagement
ResultCurrent, repeatable picture with trendsDeep snapshot with proven impact

What does NIS2 actually say about this?

Less than vendors would like you to believe. NIS2 and the Dutch Cybersecurity Act that enters into force on 15 August 2026 do not mandate a pentest or a scan by name. The law requires appropriate and proportionate measures to manage risks, and the ability to demonstrate those measures, including towards your supply chain.

For you as a decision-maker, that means two things. First: anyone selling you a product as "mandatory under NIS2" is selling urgency, not facts. Second: the regulator and your large customers look at demonstrability over time. One pentest report from 2025 does not demonstrate that you are managing your risks today. Why even a good scan does not amount to compliance on its own is explained in scanning is not NIS2 compliance.

What does your organisation need, and in what order?

For most organisations the order is not a dilemma but a progression:

  1. Start with a scan of your external attack surface. That is the cheapest way to find the basic problems: forgotten subdomains, outdated software, exposed admin interfaces. Leave those in place and you will later pay a pentester specialist rates to write them up.
  2. Turn it into continuous monitoring. Your attack surface changes constantly; vulnerability monitoring keeps the picture current and builds dated evidence for auditors, customers and insurers.
  3. Deploy a penetration test in a targeted way. On your crown jewels: the customer portal, the integration handling personal data, a new application before go-live. That way the specialist tests depth where it is worth the most, instead of your overdue basic hygiene.
  4. Repeat. An annual or biennial pentest on a rotating scope, with the continuous scan as the foundation in between.

That way you use each instrument for what it is good at, and you can give a concrete answer on every supplier questionnaire. How to answer such a question about "patch management and penetration testing" convincingly is covered in how to answer a NIS2 supplier questionnaire.

Conclusion

A penetration test and a vulnerability scan do not compete, they stack. The scan delivers breadth, continuity and affordable, dated evidence; the pentest delivers depth in the places where the impact is greatest. If you only have one budget line, start with the scan, because without visibility of your attack surface the pentester will end up testing the wrong thing.

Exposentry is deliberately that first instrument: a continuous vulnerability scan of your external attack surface, built on OpenKAT, with forensically substantiated reports you can use directly as evidence. Not a pentest, and we say so plainly. See the plans and pricing or start with a baseline scan.

Written by Edward Hasekamp, founder of Exposentry and core maintainer of the open-source OpenKAT project. See the project on GitHub and the profile at github.com/hasecon. Exposentry provides EU-sovereign, forensically substantiated vulnerability monitoring based on OpenKAT. More articles in the Knowledge base.