Skip to content

A client asks why they should pay for a pentest when they already run vulnerability scans. How do you answer?

Short answer

A vulnerability scan is an automated, breadth-first inventory of potential weaknesses, often with false positives. A penetration test is human-driven: it validates findings, chains them together, and demonstrates real business impact through actual exploitation.

This is one of the most common interview and sales questions, because clients genuinely confuse the two. The honest answer respects what scanners do well while explaining what only a human tester provides.

Vulnerability scanning

A vulnerability scan uses automated tools (Nessus, OpenVAS, Qualys) to probe systems and match what they find against a database of known issues. It is:

  • Broad and fast — it can assess thousands of hosts overnight.
  • Repeatable — ideal for continuous, scheduled coverage.
  • Shallow — it reports potential vulnerabilities based on version banners and signatures, which means false positives and false negatives, and it generally does not exploit anything or understand business context.

Penetration testing

A penetration test is human-led. A tester takes the raw findings (often including scanner output) and:

  • Validates them — confirming a flagged CVE is actually exploitable in this environment, eliminating false positives.
  • Chains them — a low-severity information leak plus a default credential plus an SSRF can combine into full compromise that no single scan flags.
  • Demonstrates impact — instead of "port 445 may be vulnerable," it shows "we reached the domain controller and dumped credentials," which is what executives and auditors actually need to prioritize.

The right framing for the client

Scanning answers "what might be wrong?" and should run continuously. A pentest answers "what can an attacker actually achieve, and how bad is it?" They are complementary, not competing — a mature program does both.

What interviewers look for

That you don't dismiss scanners, that you can articulate validation, chaining, and business impact as the human value-add, and that you'd point a client to the cheaper option when it genuinely fits their need.

Likely follow-ups

  • How do you handle false positives from a scanner during an engagement?
  • When is a vulnerability scan actually the right deliverable for a client?
  • What does 'chaining' low-severity findings into high impact mean?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.