One of the most common issues we (and consultants at other consulting firms) experience is the fact that many individuals do not understand the difference between a vulnerability assessment and penetration test. This could result in an organization not receiving the maximum value of an internal or external security assessment, leaving many security issues unidentified, which could give a false sense of security.

Let’s take a brief look at the differences between these two engagements.

Vulnerability Assessment

A vulnerability assessment is usually performed to discover vulnerabilities that have been publicly documented and, thus, already known. In many cases, if a specific signature has not been created to detect a vulnerability, it may not be detected during this vulnerability assessment. The following activities are usually a part of a vulnerability assessment:

  • Uses signatures that have been manually written to detect known (and sometimes unknown) vulnerabilities
  • Discovery (and sometimes validation) of vulnerabilities

Vulnerability assessments are useful for organizations that simply wish to identify what issues exist within their environment and nothing more. The benefits of these assessments include the fact that they’re usually cheaper than a penetration test and can be run without any expertise in penetration testing.

Penetration Test

A penetration test is the manual testing procedures executed by a security consultant to identify and exploit security flaws within the environment. The goal of a penetration test is not to identify all of the security vulnerabilities within your environment, but to demonstrate the impact of successfully exploiting any of the vulnerabilities that may be discovered.

The following activities are part of a penetration test:

  • Manual testing activities to identify potential weaknesses that vulnerability scanners may not always discover
  • Demonstration of the impact of successfully exploiting a vulnerability (e.g. post-exploitation)
  • Man-in-the-middle (MitM) attacks that capture traffic between end-users and systems and devices


It is important to know the difference of these two engagements to ensure you are receiving the maximum value for an assessment. By performing one or the other, it’s possible that you may have security vulnerabilities that are still exposed and have never been identified due to way the security assessment was scoped.

Frequently Asked Questions (FAQs)

Q: Should I do one or the other, or both?
A: A vulnerability assessment actually compliments a penetration test in many ways. First, a vulnerability assessment can identify the weaknesses within your environment, providing you with valuable information on security vulnerabilities that you need to fix. Secondly, a security consultant can, but may not always, use some or all of the results of a vulnerability assessment to assist with their penetration test.

In many cases, consultants that perform a penetration test also include a vulnerability assessment to provide additional value during security assessment. If a consultant is performing an internal security assessment, it’s best to maximize the value of this time and service by identifying as much as they can to help your organization.

Q: Is a penetration test really valuable if we’re conducting a vulnerability assessment?
A: There is a lot of value to be gained from performing a penetration test in addition to a vulnerability assessment. When performing a penetration test, there are additional security vulnerabilities that can be discovered that may not be discovered from a vulnerability assessment. These include, but are not limited to:

  • Identifying weaknesses within role-based permissions (e.g. user has access to certain folders and should not)
  • If credentials are obtained, a consultant may attempt to check the user’s email to find sensitive data. This could disclose additional weaknesses, such as the lack of 2FA or the lack of best practices with communicating sensitive data internally and/or externally
  • Privileged access could lead to information gathered about a compromised system that could potentially be used to access other systems, such as shared credentials and other configurations

Q: How can we determine if we’ve done one or the other?
A: While there are definitely many more signs to look out for, we’ve included just a few below.

Signs that you’ve had a penetration test done:

  • Your deliverable includes screenshots of exploited issues and demonstrates the impact of exploiting those weaknesses
  • (most cases) Your deliverable includes tailored text written specifically for your organization and considers its infrastructure and compensating controls
  • (most cases) Your deliverable highlights not only the issues, but also the strengths of your environment

Signs that you’ve had a vulnerability assessment done:

  • Your report does not include any screenshots of any attempted exploits, even if just to demonstrate unsuccessful exploit attempts, unless there are no or extremely low-severity findings
  • Your report is hundreds of pages long and does not have any text tailored to your specific environment or organization