To start, these are two very different ways to test your systems for security vulnerabilities, but often confused for being the same service.
A vulnerability scan or VA for short, is an automated evaluation, providing a high-level test of your IT estate that looks for, detects and reports on the potential vulnerabilities you have.
A penetration test is carried out by a human that focuses on detecting and exploiting weaknesses in your IT security.
Benefits of Vulnerability Scanning
Fast, high level evaluation of possible vulnerabilities
Automatic (can be automated to run weekly, monthly, quarterly, etc.)
Quick to complete and understand your current network security state of play
Limitations of a Vulnerability Scan
False positives that can be reported
Organisations will need to check each vulnerability before testing again
Does not confirm that a vulnerability is exploitable
Benefits of a Penetration Test
Live, manual tests mean more accurate and thorough results
Retesting after remediation is often included
Rules out false positives
Annual test, or after any significant change
Limitation of a Penetration Test
Time (1 day to 2+ weeks)
Cost and company commitment to allow an external partner to penetrate the network
When to use them?
Both can be used to test your network and application security. Vulnerability scans are used regularly by companies running weekly, monthly, or quarterly to gain an insight into your network security. Penetration tests are used to deeply examine periodically your network security. The purpose of a PenTest is to find a possibility of compromise in your security.