Vulnerability assessment vs. penetration testing

Even in professional circles, there often seem to be differences of opinion over the value of Vulnerability Assessment versus that of Penetration Testing. This can lead to gigs with over-prescribed scopes, resulting in poor value to the client. Let’s talk about the differences between the two and why each is important in an effort to, hopefully, better help you choose between the two in future.

What’s the difference?

Vulnerability Assessment and Penetration Testing are basically two different ways of detecting weaknesses in an organisation’s security systems. They have different sets of pros and cons and take opposing stances.

Let’s use the analogy of testing a home security system to illustrate the difference.

In Vulnerability Assessments, the focus is on breadth over depth. The aim is to find all the problems in a system’s security and any deviations from best practices, and then to make recommendations – but not to assess the potential impact. When assessing a home security system, you might check that the windows have bars that aren’t rusty, whether there’s a dog out the back that barks at strangers, if there are security cameras inside the house, and if the back-to-base alarm system triggers an alarm to your security company.

Penetration Testing is the opposite — the focus is on depth over breadth. You’re the outsider and you want to see if you can get in. You don’t necessarily try to find all the security holes, only those that get you closer to your final goal. In our home security example, your objective is to steal the TV. You ignore the rusty bars, drug the dog, jump the back fence, wear a balaclava and take the TV before the security guards arrive.

Penetration Testing is especially useful for testing your internal networks. A Vulnerability Assessment will find so many holes that it’s unlikely you’ll be able to plug them all – so you need to be in the position of knowing the priorities to fix. Penetration Testing finds holes that a Vulnerability Assessment won’t, because it’s not limited to technology factors; it looks at the way systems are actually used.

When taking a holistic view of security, Penetration Testing can involve social engineering: looking not only at a system, but how people are using and managing it. Given appropriate board-level approval, Penetration Testers will pit themselves against the organisation and its employees – trying to exploit human error, snafus and mere opportunity. These engagements provide the ultimate test of whether your security is up to scratch, and offer insight into systemic issues facing your organisation.

Different strategies and mindsets

Each exercise calls for a different strategy and mindset. Vulnerability Assessments are mostly done annually under a typical security policy. They are always done the same way: thoroughly, methodical, holistically. Penetration Tests, on the other hand, call for thinking outside the box: ingenuity, daring, imagination. Plus, by their very nature, they can only address limited potential targets.

Penetration Testing makes many organisations nervous. It can result in red faces: lackadaisical work practices on the part of the IT department; insufficient spending on security by the business. But Penetration Tests shouldn’t be circumscribed; imagine asking a security expert to review your home for insurance purposes only to tell them they can only try to get in through the steel front door.

Would you rather be a boring, methodical vulnerability assessor in a grey cardigan, or an intrepid, outrageous member of a Penetration Testing Tiger Team? Just goes to show it takes all sorts!

George Stewart

George Stewart is the Team Leader for the DXC Saltbush Assurance business unit, where he manages many of our security penetration / assurance testing engagements. He is a Crest Registered Tester (CRT) and has a degree in Software Engineering with Honours from the Australian National University. He is also experienced in audit being a registered PCI-DSS QSA and having previously held an IRAP assessor certification, has completed assessments or provided advice for a variety of government and national organisations, Internet service providers and payment gateways.


Raising your Analytics IQ

Why advanced analytics needs the cloud

Why retailers need to focus their analytics on consumers


  1. very well explained. thank you


  1. […] Vulnerability assessment vs. penetration testing […]

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.