Vulnerability Scanning and Penetration Testing – Know the Difference

There are a variety of different ways to assess the security integrity of the systems that process, store, or transmit your information assets. But I find it odd that this far down the cyber security road, a lot of businesses still don’t understand the basic difference between Vulnerability Scanning and Penetration Testing. I know it seems like a no-brainer, right?

However, it’s not always clear. Around 20% of our clients who request a security penetration test proposal come back to us saying that they found the same service for a fraction of the price. Immediately, we understand that they bought a scan not a test as our services are far from being expensive on the market.

Sure enough, they will then show us the “testing” report they received a few weeks later and we will politely point out the Nessus brand name and copyright in the document’s footer and patiently explain to them that the “testing provider” just ran vulnerability scanning software against the systems and printed out the report. Something they most likely could have done themselves had they understood the difference.

But it should be noted that the problem is that testing service providers don’t take the time to explain to their clients the difference between a scan and a test. If the client want’s a test but can only afford a scan – some providers will oblige and deliver the scan reports as testing deliverables. Not good.

A tell-tale sign of this bait and switch move is that the title of the report does not contain the word “penetration”. I’ve seen them called “Security Test Reports”, “Cyber Security Test Report of Findings” or my favourite, “Security Health Check Reports”

OK. I got that off my chest so let’s move on to the definitions of what a security vulnerability assessment is and its inherent value.

Security Vulnerability Assessments

Firstly, in the world of information risk management, a security vulnerability assessment is the process of identifying potential weaknesses in the people, process, and technology that process, store, or transmits your information assets. Each area requires a separate evaluation to identify associated vulnerabilities that if exploited, could have an adverse impact on an information asset. Right?

To identify, classify and prioritise the security vulnerabilities associated with the computer systems, applications and network infrastructures that process our information assets, we conduct vulnerability assessment or analysis (VA) scanning of these systems. VA scanning is an inspection of the potential points of exploit on a computer or network to identify any security holes such as default passwords, missing patches or legacy builds. A VA scan detects and classifies these weaknesses against the assumption that they are exposed to an attacker.

Are they helpful? Absolutely. Conducting routine security vulnerability scanning is the best way to ensure the ongoing security integrity and resiliency of your systems. Regular scanning and of course remediation of the vulnerabilities found in scans ensures the best security configuration levels are maintained and significantly reduces your risk of a breach.

Scanning, however, is very different from penetration testing.

Security Penetration Testing

Security penetration testing is the process of identifying, assessing, and attempting to exploit security vulnerabilities associated with computer systems, applications, and network infrastructures to obtain unauthorised access. The objective of penetration testing is to simulate an attack by an intruder and in doing so, “test” the security configuration and controls implemented to prevent a “penetration” of your defences.

To do this, a penetration test must be done with skills that a vulnerability scan cannot replicate. A penetration tester must be able to identify vulnerabilities manually to be able to spot when they occur. The use of programs or scripts to speed this up is ideal but the core requirement is additional understanding and experience that a vulnerability assessment does not require.

Penetration testing is an “art” and good testers are indeed artists. They look at the canvas of vulnerabilities and don’t just “connect the dots” – they visualise and execute the attack that could result in access. So, the outcome of a good penetration test is a real-world evaluation of the vulnerabilities in your application/network.

What we all too often forget is that cyber security is an oxymoron. There is no such thing as a “secure” computer, system, application, or network. All hardware and software are inherently vulnerable. A penetration tester knows this and approaches each test with the objective of finding the specific vulnerability (or combination of vulnerabilities) that should be addressed to reduce the real risk of a breach.

Why both are important

Conducting routine VA scanning ensures the on-going security integrity of your systems and remediation of the vulnerabilities identified helps to reduce your risk of a breach. But we all know there is no such thing as a “secure” computer, system, application, or network – this is where the value of a good thorough security penetration test is abundantly clear. A tester knows this and approaches each test with the objective of finding the specific vulnerability (or combination of vulnerabilities) that should be addressed to reduce the real risk of a breach.

Risk Crew’s experienced security engineers have been delivering Security Testing and Vulnerability Assessment Scanning for two decades. If you’re ready to make the jump into implementing a security testing programme, we’ll provide the safety harness.


Risk Crew