Glossary
Vulnerability Scan vs Penetration Testing
A vulnerability scan identifies known weaknesses by pattern matching against signature databases (CVE lookups, version fingerprinting, configuration checks). A penetration test goes further: it actively exploits weaknesses to confirm they're real and reachable, then chains them into business-impact scenarios. Both have a place; only one tells you what an attacker would actually achieve.
Side-by-side
| Vulnerability Scan | Penetration Test | |
|---|---|---|
| Output | List of potential issues | Verified-exploitable findings |
| False-positive rate | High (often 40%+) | Low (validator suppresses) |
| Business-impact chain | No | Yes (chained exploits) |
| Frequency | Continuous (cheap) | Annual or per-release |
| Cost | €500-5k/year | SQUR: €1,995 per scan; traditional: €15-30k per engagement |
| Compliance acceptable | Limited (some controls) | Yes (full evidence for DORA, NIS2, ISO 27001) |
When you need both
Continuous vulnerability scanning (Nessus, Qualys, OpenVAS) is good hygiene — cheap, fast, catches obvious misconfigurations and missing patches. But for compliance evidence and meaningful security insight, scans aren't enough. The classic combination: continuous scanning + periodic pentesting + bug bounty for the long tail. Many organisations have the first two backwards: heavy investment in scanners that produce 200-page reports of theoretical issues, occasional pentests that find what actually matters.
What SQUR is
SQUR is not a vulnerability scanner. We do penetration testing — the autonomous pipeline plans attacks, executes them, and validates each finding by attempting exploitation before reporting it. The free attack-surface scan at the top of our funnel does light surface enumeration; converting that into a full SQUR pentest moves from "here's what scanners see" to "here's what an attacker actually exploits."
Frequently asked questions
Does our scanner replace a pentest?
No, and any vendor telling you otherwise is selling you a scanner. Scanners find candidates; pentests verify which candidates an attacker actually exploits. Most regulators (DORA, NIS2 Art. 21(2)(d), ISO 27001 A.8.29) expect both.
Why is SQUR so much cheaper than traditional pentesting?
Autonomy. The exploration / planning / exploitation / validation pipeline runs without paying for senior pentester hours by the day. Human pentesters remain better at novel business-logic exploits and adversarial red-team simulation — SQUR is better at coverage, speed, and verifiable evidence at scale. Different categories; different price points.