Vulnerability assessment vs. penetration test: Understanding the differences

February 20, 2024
Author: Ryan Hamrick
Blog | Security

When we talk with clients about our services and we review our services catalog, we often hear these questions:

  • “What’s a vulnerability assessment?”
  • “What do you do during a penetration test?”
  • “Do you perform a vulnerability assessment during a penetration test?”
  • “Why do you have two service offerings for these things? Aren’t they the same?”

I understand that these two offerings can seem, on the surface, as if they are very similar services. While those of us who spend all our time in the security space at least understand the significant differences between these two activities, even for some of us security professionals, the nuance involved in each can be confusing. The good news is, with either of these offerings, the overall goal is to help enhance an organization’s security. Hopefully, by the end of this post, I have helped “demystify” some of that nuance.

Read More: Cybersecurity highlights of 2023: New SEC cybersecurity rules and the major breaches driving them

What is a vulnerability assessment?

On the surface, a vulnerability assessment is exactly what you might think it is, depending on your experiences. A good analogy of the general purpose of a vulnerability assessment is to think of it as a “health check” of an organization’s security posture. It is very much like having a checkup performed by a medical professional. We will take our time, check all the systems on the network with the full collaboration of the organization, and identify potential “health” issues.

Using broad strokes, these are the key steps for a vulnerability assessment:

  1. Define the scope of the assessment. Ideally, this is 100% of the organization’s environment, including externally and internally facing assets.
  2. Coordinate credentials for the assessment team to leverage during the engagement for authenticated scanning.
  3. Configure the software and execute the scanning process.
  4. Review the results of the scanning process and, analyze and aggregate the results to draft a report.
  5. Deliver the report.

As noted in the list above, vulnerability assessments rely on using vulnerability scanning software to perform the data collection portion of the assessment. An essential step in configuring this software is providing credentials for the software to log in to the target hosts. Performing a “credentialed” scan provides a deeper insight into the security posture of each device, as the authenticated software can then dig into the operating system and discover missing patches, configurations, and other potentially vulnerable items in a more “true positive” way.

When a scan is unauthenticated, the software has to make some assumptions about what it knows about the system and the open ports after performing tests. This can provide a view into what may or may not be vulnerable on each system in the scope, but this is not as true of a picture as if it were done with more depth.

The most nuanced step in this assessment process is the fourth step above, reviewing the results. While it is true that most penetration tests will include a vulnerability scan of some type (more on that later), a vulnerability assessment dives deeper into the results. It provides additional validation of the complete data set. A talented vulnerability assessor takes time to slice the often mountain of data collected, combines findings into categories—aggregating like groups of findings into more meaningful and actionable findings—and determines the most “true positive” and accurate result set to provide to our customers. This set of actionable, accurate, and aggregated findings gives our customers a roadmap to follow that helps them move into a more secure posture as efficiently as possible.

Read More: Why network security assessments are necessary during M&A

How is that different from a penetration test?

Well, the easy answer is just one word – exploitation.

I mentioned earlier that a penetration test would include a vulnerability scan. Still, in the process of a penetration test, there are two significant differences between what is done here and what is done during a vulnerability assessment:

  1. The scan results come from software that does not use any provided credentials.
  2. To maximize the time used in a penetration test, the operator will focus on the systems and vulnerabilities identified that appear to be the most exploitable.

I know what you’re saying: “You said earlier that credentials are important. We get it; move on from that and tell us what that second point means!” That second point follows the goals of a penetration test over and above that of a vulnerability assessment. We take the results of a scan, which can be performed at the onset or in the middle of the test, and leverage information found there to exploit the target systems actively. We leverage additional tools, tactics, or procedures to use that vulnerability and gain a foothold on a system, escalate our current user privileges, or pivot onto another system within the scoped environment. We often string together several exploits that leverage vulnerabilities to those same ends.

We highlight in our reports the technical storyline of what exploit paths we chose, why we chose them, and how we were able to leverage those exploits into further system or network access. We then provide a detailed list of “true positive” findings and remediation recommendations tailored to the organization. This includes a high-level overview of the vulnerability scan results performed during the penetration test. We also provide each client with the results and our final report.

Overall, while the goals of a vulnerability assessment focus on finding weaknesses within an organization’s environment, a penetration test takes it one step further and exploits those weaknesses. This helps an organization measure the effectiveness of its security controls and determine how well it can withstand the conditions of an attack.

Read More: Pentesting, Chicken Guns, and Mike Tyson

Both methods are critical components of a robust cybersecurity strategy and provide valuable insights to help organizations better protect their digital assets from evolving threats. Contact us today to learn how to incorporate these into your better defensive posture.

Related Stories

Schedule a complimentary
30-minute consultation with an engineer

Join the Conversation!

Related Solutions