Explain the difference between a vulnerability scan and a penetration test to a non-technical stakeholder.