The two terms get used interchangeably in sales conversations, and that is part of the problem. A penetration test and a vulnerability scan answer different questions, at different prices, on different cadences. If you are running a small business in Australia, knowing which one you need at any given moment saves money and produces better evidence at audit.
What a penetration test actually is.
A penetration test is a human-led engagement. A consultant (or a small team) spends days or weeks examining a defined scope, chaining low-severity findings into a real exploit path, testing business logic, and writing a bespoke report. Engagements are scoped: a single web application, a network segment, a cloud account, or sometimes a physical or social-engineering exercise. Good firms publish their methodology (OWASP WSTG, PTES, OSSTMM) and tell you what is in and out of scope before they start.
The output is a written report with proof-of-exploit screenshots, severity ratings, and remediation advice. The best pen tests find real business-logic bugs that no scanner would ever catch: an authentication bypass, an authorisation flaw, a chained vulnerability that converts a low-severity issue into a high-impact one. The value is the human judgement.
The honest tradeoffs: pen tests are expensive, slow to schedule, and capture a single point in time. The web application you tested in March is not the web application you have in September. The findings go stale, the team changes, the third-party scripts update, and the scope drifts. That is not a flaw in pen testing — it is a property of the tool. You use it when the question is “is this thing fundamentally well built” or “can a determined human get in”, not for continuous assurance.
What a vulnerability scan actually is.
A vulnerability scan is automated. A scanner sends requests against a target, compares the responses against a database of known issues, and produces a list of findings. Some scanners are signature-based (a list of CVEs); some include configuration checks (TLS, DNS, email authentication, HTTP headers); some do light dynamic analysis on web applications. The scan runs in minutes or hours, not days.
The output is a list of known issues with severity scores and, usually, generic remediation guidance. A scan is excellent at catching the broad category of known, publicly documented problems: expired certificates, missing security headers, an outdated WordPress plugin, a weak TLS configuration, an exposed admin path. It is poor at catching novel issues, business-logic flaws, or anything that requires a human to understand context.
The right way to think about a vulnerability scan is the same way you think about a smoke alarm. It does not detect every kind of fire, it will not put one out, and it occasionally false-alarms. It catches the broad-based, common stuff loudly enough that you can act on it, and it does so cheaply enough to run on a recurring schedule.
Where AttackEdge sits.
AttackEdge is an external vulnerability scanner with three constraints baked in: it is passive (no exploitation, no test orders, no payload injection), it scans only the public surface of your business (the website, DNS, email authentication, TLS, subdomains, public IPs), and it produces a plain-English report each cycle written for the IT person or web developer who actually fixes things. We sit in the vulnerability-scan column, not the pen-test column. We say that on every page that mentions a pen test, because it matters.
The role we play for an Australian SMB is the recurring external check, run monthly, with dated evidence ready for an insurer or a client question. We are not a substitute for a pen test when one is genuinely required. We are the layer you keep running between pen tests, or instead of them when a pen test is the wrong tool for the budget and the question.
When to choose which.
Some genuine signals that a pen test is the right next step:
- Large-contract procurement. An enterprise customer, government tender, or large partner is asking for a recent pen-test report as part of vendor onboarding.
- Regulated environment. You operate in a sector where the regulator or your auditor specifically requires a manual pen test on a fixed cadence (some health, financial-services, and critical-infrastructure contexts).
- Post-incident validation. Something went wrong, you remediated it, and you want a human to confirm the fix actually closed the hole.
- New public app launch. You shipped a new web application that handles payments, sensitive data, or a novel workflow. A pen test before launch catches the business-logic bugs no scanner would.
Outside those situations, recurring external vulnerability scanning produces more value for a small business. It catches the common issues that account for the overwhelming majority of real-world breaches at SMB scale (weak email auth, expired TLS, exposed admin paths, abandoned subdomains, unpatched plugins) and it produces fresh dated evidence on every scheduled run.
A note on cost.
In Australia, a competent external pen test on a single web application costs roughly A$19,000 to A$15,000. Broader scopes (a few applications, the network, social engineering) run A$15,000 to A$40,000 and up. Those are the prices for a real engagement with a published methodology and a written report — not a junior consultant running a free scanner and turning the output into a PDF.
AttackEdge sits at A$39 per month (Solo, one website and email) or A$99 per month (SMB, up to 15 assets), with a A$149 one-off Snapshot for a single baseline. The two are not in competition: pen tests answer “is this thing well built”, AttackEdge answers “is the public surface still healthy this month”.