Vulnerability Assessment vs Penetration Testing

To protect your business from hackers, it is essential to know what level of risk your business is at. It must then be decided whether a penetration test or a vulnerability assessment is appropriate for you. It is important to know the difference between the two and the varying levels of security that they provide against the threat that hackers pose. Of course, both vulnerability assessments and penetration testing should be carried out regularly as part of your cyber security programme as both testing methods have their unique benefits.

Over the last couple of years, the threat landscape has changed. Previously large businesses have been the main target of cyber-attacks, and in response to this, Sapphire has seen an increase in the focus placed on cyber security at board level. This has led to the rise in attacks on SMEs. A larger business, by its nature, is more able to absorb the fiscal blow from a cyber-attack, a blow that might destroy a smaller enterprise. However, even larger businesses can be subjected to a considerable loss of revenue and reputation. Therefore, it is becoming increasingly important for both small and large businesses to enhance their cyber security defences with cybercrime on the rise.

Vulnerability Assessment

A vulnerability assessment is usually delivered with automated network security scanning tools. It will show how susceptible your network system is to various vulnerabilities, as well as their location. It will also show the severity of every vulnerability benchmarked against industry standards.

While the information gathered may indicate if a vulnerability is exploitable, this is not verified.  Something that shows as relatively low risk in a vulnerability assessment may be exposed as far more dangerous following a penetration test. For instance, an attacker might be able to pivot from a system normally deemed unimportant and then use it to take control of a far more vital system.

Penetration Testing

Penetration testing entails identifying vulnerabilities in a system, then attempting to exploit them. This technique involves penetrating the identified weaknesses in a system to establish whether they are legitimate. Essentially, a pentester attempts to infiltrate the system with the client’s consent. This exploiting stage is normally not present in a vulnerability assessment. Penetration testing will also show vulnerabilities that cannot be exploited, usually declared as theoretical findings-unrelated to false-positives.

The Differences

One of the key differences between vulnerability assessment and penetration testing lies in the value offered to our clients. A vulnerability assessment exposes the range of possible weaknesses in a system. In contrast, penetration testing shows the vulnerabilities in a system that can be potentially exploited. Furthermore, their differences can also be seen in:

  1. Breadth vs Depth

These two aspects together constitute vulnerability coverage, one of the main distinctions between both techniques. A vulnerability assessment will expose as many weaknesses as possible in the system, hence breadth over depth technique. Consequently, it is implemented regularly to ensure that a system remains secure. Having the ability to prioritise the vulnerabilities identified based on how significant the risk is, enables clients to allocate time and resource accordingly to mitigate the risk. Penetration testing should be carried out regularly as part of a robust testing regime to ensure the client is confident that their system security is strong, as and when a new system or application goes live: Depth over breadth technique.

  1. Level of Automation

Typically, a vulnerability assessment is automated to allow for as broad vulnerability coverages as possible. Conversely, penetration testing combines both automated and manual procedures to allow for deep inspections into the system’s weaknesses.

  1. Expertise

A vulnerability assessment is automated. As such, it can be performed by in-house security personnel if needed. However, depending on the size and frequency of the scanning, managing the output and prioritising, the vulnerabilities’ mediation may be a challenge. On the flip side, penetration testing requires highly skilled expertise. Few clients have the resource available to carry this out internally, and security testing best practice recommends that organisations frequently change the individuals that carry out testing to ensure objectivity. As such, it should preferably be outsourced to service providers specialised in this security assurance technique.

  1. Frequency

Ideally, a vulnerability assessment is performed every 14 days and in line with the organisation’s patching policy frequency. Ad-hoc scanning should be performed as the need arises, such as when changes have been implemented in the system or network. Penetration testing is mainly done once a year or more frequently for compliance drivers. However, this can also be performed more regularly, especially for systems that are yet to be security-mature, thus identifying all possible security weaknesses.

  1. Reports

A vulnerability assessment report comprises an extensive list of possible weaknesses, with the high-risk vulnerabilities prioritised to help the business allocate adequate resource accordingly. A penetration testing report logs all weaknesses that were successfully exploited, along with solutions and remediation advice, essentially making it a “call-to-action” document.

Understanding the Scope of Cybercrime

One of the most popular attacks is phishing. This will attempt to get a user to click on a link or open an attachment often contained within an email that leads to malicious content such as malware. This malware might steal usernames, passwords, credit or debit card information, or in the case of Ransomware, it might encrypt your companies’ systems, making them inaccessible. The criminals will then demand a ransom for unlocking your systems.

Every user has their ‘off day’ and is vulnerable to phishing and even more vulnerable to spear phishing, where they are targeted in person. Specialised security awareness training can help reduce this threat; however, it is difficult to eliminate.  The only way to know the extent of the damage this type of attack might cause is with a penetration test. This would allow a company to construct a defence-in-depth plan. If a criminal does compromise your network, you would still want them to be no more than a few steps away from your most critical servers?

Another major security problem that companies face is that of the malicious or vulnerable insider. It is all very well having someone scan your network from the outside. However, if your employees feel disgruntled or threatened, then the risk is far greater.  A vulnerability assessment can show you where your internal vulnerabilities lie and indicate how much damage each of these individuals might be capable of. A penetration test could show you the level of risk for each privilege level that each user has in your business. It will show if the lower-level users’ privileges can be escalated and used to gain complete control systems at the executive level.

What can be said of infrastructure can also apply to web applications. A web application vulnerability assessment is only going to show you what vulnerabilities are there. It might flag the application as being vulnerable to an SQL injection. However, it does not necessarily indicate the level of importance of that particular SQL database, nor does it mean the web application is vulnerable. Scanners can sometimes return false positives, and an attacker could be exploiting a vulnerability that appeared to be of less importance to the vulnerability scanner. A penetration test will authenticate the system and test the user journey and the site functionality based on user role types against the OWASP guidelines.


In short, both vulnerability assessments and penetration testing play an essential role in a cyber security strategy. Vulnerability assessments can undoubtedly point to the problem areas within your security posture. It can show you how to fix them and help you to prioritise the urgency. However, it is not going to be a specifically targeted assessment in the sense that it won’t directly answer whether your business-critical systems are vulnerable. It will simply demonstrate that a potential vulnerability exists in a specific place.

To understand the extent of the damage a hacker can do, a penetration test is necessary. It will remove false positives from the vulnerability assessment. It will show a greater accuracy at listing vulnerabilities according to severity. Most importantly, it will allow you to mitigate these risks with greater efficiency, thereby making your company more secure than a vulnerability assessment alone.




Tags: ,