25 Nov

Differentiating Penetration Tests, Vulnerability Scans, and Risk Assessments

Penetration testing has become another hot, and often misused term in the marketplace, joining the ranks of other buzz words such as “Cybersecurity”, “Hacker” and “The Cloud”. Often times, organizations confuse penetration testing with vulnerability scans or security posture assessments (a.k.a risk assessment).

While penetration testing does include utilizing vulnerability scans and overlaps with security posture assessments, penetration testing encompasses a number of additional exercises beyond scanning, enumeration and reporting.

Penetration testing differentiates itself by incorporating the following additional elements:

Executing on the Vulnerability

The goal of a penetration test is not to simply identify a potential vulnerability but to also actively exploit it in order to demonstrate a real world attack vector (i.e., the means of attack) that an attacker may execute in a live scenario.

Many penetration testers/ethical hackers will refer to this exercise as “delivering the payload” and may be as simple as opening a text editor within a highly secure server and leaving a personal message for the administrators, demonstrating that the system’s security had been compromised.

Introducing the Human Element

Vulnerability scans and security posture assessments rely heavily on the use of automated tools and security process frameworks (e.g. The OWASP Testing Framework). Penetration testers take testing efforts to another level, leveraging real world experience, personal creativity, social engineering attacks, and incorporating the human element into their testing efforts.

In a true penetration test scenario, not only is the organization’s infrastructure under attack, but also its policies and procedures. The goal is to approach the exercise from a real-world perspective where the organization’s security and procedural controls are put to the test against a seasoned, well skilled individual or team. This makes the vendor selection process all the more important when determining which individual or firm to hire to perform your organization’s penetration test.

Incorporating Multi-Vector Cyber Attacks

Penetration testing offers additional stress testing of the organization’s security and process control framework through the use of multi-vector cyber-attacks. Penetration testers may increase the likelihood of identifying weaknesses in one system or process through evidence or exploits discovered/created in another.

A real world example of a multi-vector cyber-attack is the “String of Paerls” [sic] attack, which effectively eluded antivirus solutions, utilized phishing emails, and included infected Word document attachments used to install malware.


While organizations may rely on periodic vulnerability scans and security posture assessments to meet information security (i.e. cybersecurity) compliance requirements, management should not consider these a replacement for a true penetration test.

There is no replacement for a penetration test performed by an experienced, highly skilled penetration tester/ethical hacker. It is of note that there is still some debate as to if penetration tests are worth the risk.

3 thoughts on “Differentiating Penetration Tests, Vulnerability Scans, and Risk Assessments

Leave a Reply