Pentest, red team or vulnerability scan, which one do you actually need?

Three terms that get used as if they were the same thing when they are not. Vulnerability scan, pentest and red team get mixed up in conversations, in proposals and far too often in invoices. And the confusion is not innocent, because sometimes the cheapest one gets sold under the name of the most expensive.

If you are going to invest in testing your security, it pays to know what you are asking for. Here are the three, how they really differ and when each one makes sense.

The vulnerability scan

It is the most automated of the three. A tool sweeps your systems and compares them against a database of known vulnerabilities, the ones that have a public identifier and a patch attached. At the end it spits out a list, usually long, with everything that matches.

It is useful as ongoing hygiene, because it quickly spots the unpatched server or the service running a known vulnerable version. But it has a clear ceiling. It exploits nothing, so it does not know whether that vulnerability is actually reachable or what could be done with it, does not understand your business logic and produces false positives that someone has to filter by hand.

A vulnerability scan is a good starting point. It is not an audit, however often it gets sold as one.

The pentest

Here a person comes in. A pentest, or penetration test, is a manual audit with an agreed scope in which a professional actually tries to get in, exploiting what they find the way an attacker would.

The difference from the scan is enormous. The pentester does not stop at “this looks vulnerable”, they exploit it and show how far it goes. They chain flaws that looked minor on their own, uncover business logic errors that no tool detects and hand you reproducible evidence of each finding, with its real impact and its remediation guidance.

It is what most companies need when they say they want “an audit”. It has a defined scope, whether a web application, the internal network or one specific app, within which everything gets looked at in depth.

The red team

The red team plays in another league, not just a bigger pentest. Here the question really changes. Instead of “what vulnerabilities does this system have?”, the question becomes “if a real attacker wanted to get in and reach their objective, would they manage it without us noticing?”.

A red team exercise has a concrete objective, for example reaching the customer database or the payment system. It runs stealthily, trying not to be detected. It does not aim to cover everything but to be realistic and to test something the other two do not touch, which is your ability to detect and respond while the attack is happening, meaning your people and your processes, not just the technology.

That is why a red team only adds value if you already have a level of maturity. If you have never had a pentest, a red team will only confirm the obvious, that someone can get in, while costing more to learn what a pentest would have shown you already.

Which one you need

The short answer is that it depends on your maturity, not on which one sounds better.

If you have never run a serious test, start with a pentest on what matters most to you. It is what gives you the most value per euro, because it brings to the surface the real problems you have right now. The vulnerability scan sits below it, as a continuous routine that keeps hygiene between audits, not as a replacement for them. The red team, by contrast, sits above, reserved for when you already pass pentests with good marks and what you want to measure is whether your team would detect a real attacker.

Asking for a red team without having done a pentest first is like hiring someone to climb in through the window before making sure the doors lock.

The warning

The most expensive mistake is not choosing wrong between a pentest and a red team. It is accepting an automated vulnerability scan thinking it is an audit. It is cheap and it reassures. A long report arrives, full of colour-coded lines, that leaves you with the feeling of having done your homework. The problem is that no one has actually tried to get in, so you do not know whether those vulnerabilities can be exploited or what an attacker would have found where a tool does not look.

It is the same idea we wrote about in why passing a compliance audit does not mean you are secure. The only thing that really tells you how you stand is someone trying. The rest is an incomplete picture.

If you are not sure which one fits your moment, that is also a good conversation to have before asking for a quote.

---

If you want help deciding which kind of test you need before asking for a quote, write to us at [email protected].