Can you explain the difference between vulnerability scanning and penetration testing to a non-technical stakeholder?