Penetration testing and vulnerability scanning are not the same thing.
It's not difficult to make vulnerability scanning a "value add", and then consult on how to fix the issues found. It's also a way to get your foot in the door to do more work, if you can create a good relationship with the client. Vulnerability scanning is reasonably easy (there are online services that you can resell). It's a good place to start, while you ramp up your skills.
Penetration testing is considerably more technical, and it can cause problems with the relationship to the client. The whole point of a penetration test is to show that the admins have egg on their faces.... And not just admins, since you can also test physical security if the project is scoped right. (Google "how I legally robbed a bank.")
It's entirely possible to provide both services. A blue team for for vulnerability scanning and remediation, and a red team for true penetration testing.