Although not as granular as a penetration test, when you need confidence and coverage Vulnerability Scanning is the next best thing.
A view of your online landscape, reported with action lists and revisited with frequency as per your requirements.
This is usually done as an unauthenticated user, a view that a person online would have and what that person could learn from information available
Internal Vulnerability Scan
Things are getting serious. Internal Vulnerability Scans are a really good way to align focus on the biggest problems in your environment, reoccurring issues that might be fixed at policy level or at OPs level, or even just to validate that you have done a bloody good job! there is more value in an authenticated internal vulnerability scan but if you only need unauthenticated scans to keep Internal Audit off your back that's, not as good but it is absolutely better than no scanning at all.
You'll get 'the skinny' when the scan has been completed and interpreted in context of your environment and you will also get a comprehensive report for the security team to action fixes and for businesses to acknowledge and action risks