Penetration Tests vs. Vulnerability Assessments

The terms Vulnerability Assessments and Penetration Tests are often incorrectly used interchangeably due to marketing hype and casual use by non-experts. Regulatory requirements and vendor management expectations also exacerbate this issue as they will often call for penetration tests when vulnerability assessments are better suited for the particular organization. This results in confusion and wasted time/resources. While it is true that a penetration test requires a much greater level of skill to perform, it is not inherently “better” than a vulnerability scan. In reality, the best test for an organization will depend all on the end goal.

Vulnerability Assessments utilize automated jobs to systematically scan networked devices for known vulnerabilities, typically compiled from CVE (common vulnerability and exposures) along with default/open credentials. Simple scripts can also be loaded to perform brute force password guessing attempts. The goal is to assess critical security risks and vulnerabilities and report findings.

Penetration Tests are performed by highly skilled information security experts who emulate real world tactics to determine whether or not a security posture could withstand a prolonged attack by a dedicated and skilled perpetrator. The goal is to leverage this assessment to correct critical security risks and vulnerabilities.

Vulnerability AssessmentsPenetration Tests
GoalsDiscover all of the vulnerabilities that could be exploited in an attack.Find out what damage could be done by exploiting some of the existing vulnerabilities.
Real World ExamplesChecking all exterior and interior doors to determine if they are locked and secured properly.Entering through the first available open door and searching the interior.
FocusBREADTH OVER DEPTH: All in-scope devices are considered and all known vulnerabilities will be categorized.DEPTH OVER BREADTH: Few devices may be touched and many vulnerabilities which may exist may not make the final report, which will consist of greater detail on fewer vulnerabilities.
TacticsLOUD AND FAST: Scans make no attempt to hide what they are doing and are very noisy and obvious.LOW AND SLOW: Stealthy and attempt to evade defense protocols.
Recommended Organization Maturity LevelLOW TO MODERATE: An organization which does not regularly scan or does not have the capability to perform scans on their own, or organizations which consistently have unmitigated critical or high vulnerabilities. MATURE: Better suited for organizations that have undergone and passed routine vulnerability scans and are looking to take the next step.
TestsPreventative controls which prevent unauthorized system access and control. Detective and reactive controls which detect and respond to a malicious presence.
penetration testing