Lots of vendors today are marketing basic scanning and assessment services as “penetration tests,” which they are not. So let’s be clear. The FFIEC defines penetration testing in the glossary of the Information Security Handbook:
Penetration test: The process of using approved, qualified personnel to conduct real-world attacks against a system to identify and correct security weaknesses before they are discovered and exploited by others.
By clarifying that penetration testing must be completed by qualified personnel who can conduct “real-world attacks,” the FFIEC clearly distinguishes pen testing from vulnerability scanning services.
A scan looks for vulnerabilities and reports on potential weaknesses, a penetration test actually exploits those weaknesses.
A scan systematically examines systems to identify, quantify, and prioritize the security deficiencies of the systems. A penetration test consists of targeted attempts to exploit your current system or policies, and identifies the extent to which your system can be compromised.
They’re not the same, but both have a role to play in your overall cybersecurity risk management.