Penetration Testing vs Vulnerability Assessment
Which do you need and what does each cost? An honest decision guide covering VA, pentest, DAST, PTaaS, and bug bounty. Updated April 2026.
We do not sell penetration testing services. This site is not affiliated with any pentest vendor or security firm. All prices are independently researched from publicly available quotes, industry surveys, and published rate cards.
Decision Tree: What Do You Actually Need?
1. Do you have a compliance requirement specifying a penetration test?
YES
→ You need a penetration test. VA alone does not satisfy PCI DSS Req 11.3, SOC 2 CC6.6, or DORA Article 26.
NO
→ Continue to question 2.
2. Have you already run vulnerability scans and want to know if findings are actually exploitable?
YES
→ You need a penetration test to validate and chain the vulnerabilities your scanner found.
NO
→ Continue to question 3.
3. Is your primary goal continuous coverage on a limited budget, or a point-in-time deep assessment?
YES
Continuous budget: → Start with a vulnerability scanner (Intruder, Nessus). Add a pentest annually or for compliance.
NO
Point-in-time deep: → You need a penetration test.
VA vs Penetration Test — Full Comparison
| Vulnerability Assessment | Penetration Test | |
|---|---|---|
| What it finds | Known CVEs, outdated software, misconfigurations from a signature database | CVEs + logic flaws + chained attacks + authentication bypasses + business context vulnerabilities |
| How it works | Automated scanning tools (Nessus, Qualys, InsightVM) | Manual expert testing + automated tooling as supplement |
| Annual cost (GBP) | £1,000–£4,500/year (tooling) | £5,000–£50,000+ per engagement |
| Annual cost (USD) | $1,300–$5,800/year (tooling) | $6,000–$64,000+ per engagement |
| Time to complete | Hours (scan), runs continuously | Days to weeks per engagement |
| Report output | CVE list with CVSS scores, asset inventory | Narrative findings with PoC exploits, remediation guidance |
| Compliance use | Limited — supplementary evidence only | Full evidence for PCI DSS, SOC 2, DORA, NIS2 |
| Human expertise | None — fully automated | Significant — hours of expert analysis per finding |
| False positives | High — requires triage by security team | Low — each finding is verified and exploited |
| Best for | Continuous monitoring, patch tracking, attack surface visibility | Compliance evidence, deep assurance, finding logic flaws |
The Automated Scan Sold as a Penetration Test
The security market's worst-kept secret: many “penetration tests” priced below £3,000 are Nessus or Qualys reports with a custom cover page. The buyer receives a report that looks professional but contains only automated scan findings — no manual exploitation, no business logic analysis, no chained vulnerabilities.
How to identify it:
- The implied day rate is below £600/day — impossible for genuine manual testing
- All findings in the report are CVE-numbered vulnerabilities (automated scanner output)
- No findings specific to your application's business logic or custom code
- The report was delivered within 24 hours of access being granted
- Findings are identical or near-identical to a public CVE database entry — no evidence of manual exploitation
- The tester cannot explain how they found a specific vulnerability when asked
The Third Option: PTaaS
Pentest-as-a-Service platforms bridge the gap between continuous VA scanning and a bespoke pentest. Subscription model, compliance dashboard, and a scheduled annual manual test component.
Continuous VA scanning
24/7 attack surface monitoring, new CVE alerts, scheduled scans
Scheduled manual tests
Annual or semi-annual manual pentest component included in subscription
Compliance certificates
Dashboard with SOC 2, ISO 27001, PCI DSS evidence packages
Limitation: PTaaS manual testing components are typically less deep than a bespoke engagement. For PCI DSS Requirement 11.3 or DORA Article 26, a dedicated bespoke pentest is required.
VA Tool Pricing (2026)
| Tool | Type | Annual Cost | Coverage |
|---|---|---|---|
| Nessus Professional | VA Scanner | £3,500–£4,200/year | Network vulnerabilities, misconfigurations |
| Qualys VMDR | VA Platform | £2,000–£8,000/year | Network + cloud + containers |
| Intruder | VA / Pentest hybrid | £2,499–£9,999/year | Continuous scanning + scheduled manual tests |
| Rapid7 InsightVM | VA Platform | Pricing on request (approx £5,000+/year) | Network vulnerability management |
DAST Tool Pricing (2026)
| Tool | Type | Annual Cost | Coverage |
|---|---|---|---|
| Burp Suite Professional | DAST (manual + automated) | £449/year per user | Web applications — industry standard for pentesters |
| Invicti (Netsparker) | Enterprise DAST | £5,000–£20,000+/year | Enterprise web app scanning |
| OWASP ZAP | DAST (open source) | Free | Web applications — good for CI/CD integration |
| StackHawk | Developer DAST | From $499/year | API + web app in CI/CD pipeline |
Bug Bounty vs Penetration Test
Bug Bounty
- Continuous: Researchers submit whenever they find something
- Variable cost: £0–£500K/year depending on scope and severity
- External researchers: Crowd-sourced from security research community
- No guarantee: Researchers choose what to test — coverage gaps possible
- Not for compliance: Does not satisfy PCI DSS, SOC 2, or DORA pentest requirements
Penetration Test
- Scoped engagement: Defined scope, defined start/end, guaranteed coverage
- Fixed cost: £5K–£100K+ depending on scope and type
- Named testers: Identified consultants with verifiable certifications
- Full coverage: Tester is contractually required to test all in-scope assets
- Compliance-ready: Structured to satisfy PCI DSS, SOC 2, DORA requirements
Bug bounty and penetration testing are complementary, not interchangeable. Enterprise security programmes often use both: pentest for compliance evidence, bug bounty for continuous discovery coverage.