Back to Basics: Vulnerability Assessments vs Penetration Test

The chances are that you have heard the term vulnerability assessments used interchangeably with pentest, or vice versa. If you haven’t, consider yourself luck (or perhaps you work with orgs keeping up with the times). There is also a good chance that you may have been part of a team that performs penetration tests and been requested to perform a test only to find out it isn’t a pentest but just a vulnerability assessment.
The purpose of this quick read is to help illustrate the great differences between vulnerability assessments and pentest.

Vulnerability Assessments vs Pentesting

Vulnerability Assessment

A vulnerability assessment identifies issues such as system vulnerabilities and some misconfiguration on hosts within a network. Also known as targets, these hosts are typically scanned with some type of network or system scanning tool such as Nessus, Nexpose, or Openvas — the tools scanned the host a deliver a report based on the results of the scan. Different types of scans can be run for different results or reasons.

• Credentialed scans allow for the scanners to fully scan the machines and find both internal and external vulnerabilities with the host. These are preferred scans because they give a full…