0x3 Security // offensive ops
← back to blog
Penetration Testing

Pentest vs. scan: what you’re buying

By 0x3 SecurityJune 4, 20264 min read

“We already did a pentest” is one of the most dangerous sentences in security — because half the time, what was actually bought was a vulnerability scan with a fancy invoice. The two are not the same, and the gap between them is where breaches live.

What a scan does

A vulnerability scanner is an automated tool. It checks your systems against a database of known issues and missing patches, then prints a list ranked by severity. It’s fast, cheap, and genuinely useful for hygiene — you should run one regularly.

But a scanner has no judgment. It can’t chain three “medium” findings into one critical compromise. It can’t reason about your business logic. And it produces false positives that bury the findings that matter under noise nobody triages.

What a pentest does

A penetration test is a human adversary with a goal. We don’t hand you a list of theoretical doors — we tell you which ones we opened, in what order, and what we reached on the other side. Privilege escalation, lateral movement, business-logic abuse, the password reuse that turned a low-severity finding into domain admin: that’s the part the scanner never sees.

  • Context over count. Ten “criticals” from a scanner can be noise. One proven attack path to your crown jewels is the whole report.
  • Proof, not theory. Every finding comes with a reproduction and a proof-of-concept. No hand-waving.
  • Prioritized fixes. We tell you what to remediate first, because we know which gap actually got us in.

How to tell what you paid for

Read the deliverable. If the “pentest” report is a tool’s raw output with a logo slapped on the cover, you bought a scan. A real engagement reads like a story: here’s where we started, here’s how we moved, here’s what we touched, here’s how we’d stop it.

A scan finds the unlocked windows. A pentest climbs through one and tells you what was in the room.

Both have a place. Run scans for continuous hygiene. Bring in operators when you need to know what a determined human would actually do with what the scanner found.

$ ./read_next
Social Engineering

Your real perimeter is human

No firewall patches a curious employee. Here's how we test the human layer — and how to harden it without turning your team into paranoids.

May 28, 20264 min read →