Service type Vulnerability Assessment — Annual (continuous) Vulnerability Assessment — One-time Penetration Testing — Annual (VA included) Penetration Testing — One-time (VA included)
Network coverage Internal network only External / internet-facing only Both internal + external
Internal IPs?Count all internal IP addresses in scope — servers, workstations, network devices. Servers, workstations, network devices
Web / API applications in scope None 1 application 2 applications 3 applications 4–5 applications 6–10 applications
Active Directory in scope? No AD AD Baseline assessment AD Professional assessment
Compliance requirements?Compliance-driven engagements require additional evidence and audit-ready reporting.