Comment by bitexploder

The difference is the level of knowledge required. Deep vs wide. To pick a nit, too, customers use the term pen testing very broadly. So, it could just be internals and externals, could be app sec, etc. I haven’t found a ton of changes all that important in the last decade in web app testing.