You might have heard the terms “Vulnerability Assessment” (VA) and “Penetration Test” (PT) used in the information security industry. In fact you may hear them used interchangeably. However they are not the same type of engagement, and unfortunately there has been an increase in cybersecurity providers who are selling Vulnerability Assessments and Scans, but calling them “Penetration Tests.”
In very simple terms, a Vulnerability Assessment will use automated tools to identify any known vulnerabilities or weaknesses it can find in your system. A Penetration Test will go beyond automated tools to identify weaknesses (ex. using Social Engineering to gather login details), and then the tester will manually try to exploit the weaknesses to get deeper into the environment. As a Penetration Tester gets deeper, they may have access to more vulnerabilities, which they will then try to exploit as well.
This video below will help define the two assessments and outline the differences between them. The chart at the bottom of the page is a quick comparison to show the difference between a Vulnerability Assessment (Scan) and a Penetration Test.
But what about the difference between automated “Penetration Testing” platforms and manual Penetration Testing? This is a great question. Stay tuned for our next article on this subject.