In the past few days, months and indeed years many people have approached me and asked me a very simple question… But bare in mind that this simple question was and indeed it is a still a big dilemma between many professionals in IT security, cyber security, management, decision-makers, policy, etc.  Thereby, the question is: What is the difference between Penetration testing and Vulnerability Assessment? And of course this question was almost always couples with the question if we do penetration testing does it means that we are doing as well as vulnerability assessment? In this content, I have decided to share with you the meanings, such as, methods, approaches of each process, as well as a further reading – papers, articles and books – that could help you to distinguish this difference and of course broaden your views.

With no further do, firstly I would like to make sure that we are clear with the empirical terminologies used:

  • Vulnerability Assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system 2.
  • Penetration Testing - occasionally pentest, is a method of evaluating computer and network security by simulating an attack on a computer system or network from external and internal threats 1.

Mostly, the above two terms are confused with each other. In other words, penetration testing is necessary to determine the true attack footprint of your environment, assets, and so fort. For this reason the the difference is highlighted and fully explained below in separated sections.

Vulnerability Assessments

It is used and of course it is necessary to discovering potential vulnerabilities throughout the environment in for instance, organization, company, or even asset. Usually there different scope for such an task, nonetheless sometimes does work only by available automatic tools or through manual test as well. Usually, and please bare this in your mind that full exploitation of systems and services is not generally in scope for a normal vulnerability assessment task. Most-likely, systems are typically enumerated and evaluated for vulnerabilities and testing can be done with or without authentication. Additionally, important in fact for the management staff is the actionable reports, thus reports contain details about the mitigation strategies, for instance, applying missing patches, correcting insecure system configurations and among the others [3].

The steps to vulnerability assessments are [4]:

  1. Cataloging assets and resources in a system
  2. Assigning quantifiable value and importance to the resources
  3. Identifying the vulnerabilities or potential threats to each resource
  4. And mitigating or eliminating the most serious vulnerabilities for the most valuable resources

Penetration testing

Pen testing is coupled, or in other words it expands upon vulnerability assessment efforts by introducing exploitation into the matrix. The main purpose is to allow the business to understand if the mitigation strategies are actually working as it was expected.

Furthermore, pen testing requires a higher skill level than is needed for vulnerability analysis. Particularly, this means that the price for penetration test will be much higher than that of a vulnerability analysis [3].

Also, there are two primary types of pen tests:

  1. White box, it uses vulnerability assessment and other predisclosed information, and
  2. Black box, it performed with very little knowledge of the target systems and it is left to the tester to perform their own reconnaissance, to gather information as much as possible..

Usually, pen tests follow these steps [4]:

  • Determination of scope
  • Targeted information gathering or reconnaissance
  • Exploit attempts for access and escalation
  • Sensitive data collection testing
  • Clean up and final reporting


The key difference between those two is that pen testing goes beyond the level of identifying vulnerabilities and goes through the process of exploitation, privilege escalation, and maintaining access to the target system. Where on the other hand, vulnerability assessment provides a better picture of any existing flaws in the system with out the measuring the impact of the flaws to the system. However, vulnerability assessment carefully identifies and quantifies all the vulnerabilities in a non-invasive manner [5].


“Glossary”. ISACA. Retrieved 6 November 2013

assessment”]( Wikipedia. Retrieved 6 November 2013

[3]: Lee Allen (May 2012). ”Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide”. Packt Publishing Ltd.

[4]: Steven Drew, 2006. Vulnerability Assessments Versus Penetration Tests. SecureWorks. Retrieved 11.11.2013

[5]: Shakeel Ali and Tedi Heriyanto (2011). “BackTrack 4: Assuring Security by Penetration Testing”. Packt Publishing Ltd.