There is a specific kind of bill that makes our operators wince: the $1,500 "penetration test" that is a vulnerability scan with the logo swapped. It is not that scanning is useless — we run scanners too. It is that a scan and a test answer fundamentally different questions, and selling one as the other leaves a gap an attacker will happily fill.
A scanner answers "what is potentially wrong?" It fires known checks at your assets and lists what matches. That is genuinely useful as a first pass and as continuous coverage between tests. But a scanner cannot reason. It cannot notice that a low-severity information leak on one endpoint hands it the exact token format it needs to forge a session on another. It cannot chain three "informational" findings into account takeover. Attackers chain. Scanners list.
A penetration test answers "what can an attacker actually do?" A human operator starts where the scanner stops — taking the boring findings and asking whether they combine into something that matters. In our experience the highest-impact finding in an engagement is almost never the highest-severity item a scanner would flag. It is the chain. The forgotten debug header plus the predictable ID plus the missing authorization check.
The tell is in the delivery. A real test has a scoping call, a rules-of-engagement document, and a report written by the person who did the work, with reproduction steps a developer can follow. It takes days to weeks, not hours. If you were quoted a same-day turnaround at a price that seems too good, you are almost certainly buying a scan. Buy the scan if you want the scan. Just do not let anyone tell you it is a test.