Skip to main content
Insights
Comparison4 July 2026 · 6 min read

Vulnerability scan or penetration test: which does your business actually need?

By Matt Owen, Auto Alpha Security

An indigo wireframe network on a dark field, a few nodes lit brighter than the rest.

A vulnerability scan and a penetration test are not the same purchase, and most South African businesses are choosing between them for the wrong reason. Short answer: yes, a scan is cheaper — meaningfully so — and for evidencing POPIA §19 it is usually the right-sized choice. You step up to a manual pen test when a specific standard, or a specific kind of risk, actually demands one. Here is how to tell which you are.

What each one actually is

A vulnerability scan is an active, largely automated test of your live application. Tooling probes the app for known weakness classes — injection, broken access control, exposed panels, misconfiguration, cross-site scripting — and reports what it finds. Its strength is breadth and repeatability: it covers a lot of surface quickly and you can re-run it. Its classic weakness is noise. A raw scanner throws false positives, and someone still has to separate the real findings from the guesses.

A penetration test is a human exercise. A tester uses tools too, but the value is the person — chaining a low-severity foothold into a real breach, reasoning about your business logic, reaching the flaws no scanner has a signature for. That depth is exactly why it costs what it does. A pen test is not a longer scan; it is a different activity with a person at the centre.

Scan vs pen test — the decision

Confirmed scanManual pen testDepthBroad, known weakness classesDeep — chained + business-logic flawsCost (SA)R8k–R20k once-offFrom ~R35k, past R150kTurnaroundDaysWeeksWhat POPIA §19 needsRight-sized evidence ✓Not required by §19
Same goal, different purchase. A pen test buys depth; a confirmed scan buys right-sized POPIA §19 evidence in days.

Depth, cost, and time — the honest trade

The reason a scan is cheaper is not a marketing framing; it is arithmetic. A scan is machine hours plus review; a pen test is expert human hours, and those are the expensive input. In South Africa a manual pen test typically starts around R35,000 for a narrow scope and runs well past R150,000 for anything comprehensive, over a timeline measured in weeks. A confirmed scan sits in a different bracket entirely — R8,000 to R20,000, in days.

So the pen test buys you depth, and you pay for it in money and time. That is a good trade when depth is what the situation calls for. It is a poor trade when you are paying pen-test prices to answer a question a confirmed scan already answers. The skill is matching the tool to the actual requirement, not buying the most expensive option and calling it diligence.

When you genuinely need a manual pen test

Some requirements name the manual test specifically, and no scan substitutes for it. If you store or process card data, PCI DSS Requirement 11 mandates formal penetration testing at least annually and after significant change — and it expects tester independence attestation. Some SOC 2 audits ask for one too. And if your real exposure is business-logic depth — a pricing flow that can be gamed, a multi-tenant boundary that might leak, an authorisation matrix with sharp edges — that is human-tester territory. We will say this plainly: a pen test is deeper than a scan, and where one is required, our scan is not a substitute for it. Anyone telling you otherwise is selling you a gap.

When a confirmed scan is the right-sized evidence

For most SA small and medium businesses, the live question is not PCI or SOC 2 — it is POPIA §19. Section 19 requires “appropriate, reasonable technical and organisational measures,” and to regularly verify that the safeguards are effectively implemented. It does not require a manual penetration test. What it asks for is that you identified the foreseeable risks to personal data and can show you checked. A confirmed scan produces exactly that evidence, at a fraction of the cost and time — which is the whole reason “right-sized” is the standard, not “most expensive.”

Where our Deep Scan sits

Deep Scan is the confirmed, automated-first end of this spectrum, done for you. It is active black-box testing of your live app, but every finding is reproduced against the running site with a re-runnable proof before it reaches you — so you get 0 false positives on confirmed findings, not a raw scanner dump to triage yourself. Each confirmed finding is mapped to MITRE ATT&CK, NIST CSF, OWASP and CWE, so a reviewer can check it independently. It is operator-run, never without your written authorisation and proof of domain ownership, and it lands in days rather than weeks, R8,000 to R20,000 once-off.

So the decision comes down to the requirement in front of you. Card data, a SOC 2 auditor asking for one, or real business-logic exposure — you need a manual pen test, and we will point you to people who do that work properly. Evidencing POPIA §19 for a live web app — a confirmed Deep Scan is the right-sized answer. Send us your domain and we will tell you, honestly, which side of that line you are on before you spend anything.