TL;DR: A vulnerability scan is automated and broad — it quickly checks your systems against known issues and flags what looks wrong. A penetration test is manual and deep — a skilled tester actively tries to exploit weaknesses to see what's really reachable. You want both: scan often, pen-test periodically. Kalenfy's free scan is the fast, broad starting point.
What a vulnerability scan does
It's automated coverage: a tool checks your domain, configuration or systems against a database of known weaknesses (missing security records, exposed files, outdated software, weak settings) and reports them with severities. It's fast, repeatable and cheap — ideal for running regularly to catch regressions. Our scan is a passive example: it reads your public DNS and email-security setup and grades it in seconds.
What a penetration test does
A pentest is a human exercise. A tester, with permission, actively probes and chains weaknesses the way a real attacker would — to prove what an attacker could actually achieve, not just what might be wrong. It finds logic flaws and combinations automated tools miss, but it's scoped, scheduled and more expensive.
At a glance
| Vulnerability scan | Penetration test | |
|---|---|---|
| Method | Automated | Manual (human-led) |
| Depth | Broad, known issues | Deep, real exploitation |
| Speed / cost | Fast, low cost | Slower, higher cost |
| Cadence | Frequent / continuous | Periodic (e.g. yearly) |
Which do you need?
Most small businesses should start with regular scanning — it catches the common, high-impact issues cheaply and often. Add a penetration test when you handle sensitive data, have a custom application, or need it for compliance. They're complementary: the scan keeps the basics clean; the pentest validates the hard parts.
Where Kalenfy fits
The free scan is your broad, repeatable check — passive and non-intrusive, covering DNS and email security now and the full passive surface in your deeper report. For a hands-on, authorised deeper review, reply to your report and we'll scope it — we're developers, and any active testing only ever happens with your explicit permission.
FAQ
Is a vulnerability scan enough on its own?
For many small businesses, regular scanning plus fixing what it finds covers the majority of real-world risk. Pen-testing adds depth where it matters.
Is scanning my own site legal?
Passive checks on your own domain, yes. Active testing should only be done with the owner's explicit authorisation.
How often should I scan?
Regularly, and after any change to your DNS, email tools or site — it's quick, so there's no reason not to.
Start with the broad check today. Scan your domain, then reply to your report — we're developers and we can take it deeper with your permission.