Vulnerability Assessment vs. Penetration Test: The Pros and Cons

Christopher Wilkinson
| 12/3/2015
RISK-16005-015P Cybersecurity Blog Pen Testing Nugget

Which IT Data Security Test Is Right for You Now?

Vulnerability assessments and penetration tests are vital to any organization’s vulnerability management program. The two methods provide similar services but offer very different types of value – value the risk management department often doesn’t fully understand.

Ultimately, the organization needs to determine which type of assessment, or combination of assessments, fits its overall IT security strategy best. That decision should be based on a risk assessment as well as the IT infrastructure and management’s input.

Vulnerability Assessments
In a vulnerability assessment, an automated tool scans the IT infrastructure and reports the results. The tool’s job is to identify all systems and the associated applications and services they are running. Based on this information, the tool attempts to identify issues such as missing patches, default passwords, and known exploits.

All the problems the tool has identified are then presented in a vulnerability assessment report. Note that a typical vulnerability assessment doesn’t include confirmation or validation of the identified issues, so the tool’s accuracy is often not verified. Rather than being removed, false-positive findings are usually left for IT administrators to determine whether they are truly issues.

A vulnerability assessment does not explore a purported issue’s impact outside of rudimentary factors that are often based on tool output. For example, a vulnerability scanning tool would identify a weak password in a database and rank it as a high-risk vulnerability. However, the tool would fail to take into account the fact that the database might not contain sensitive information and that the default password allows no unauthorized user to access the underlying operating system or escalate the user’s privileges.

Overall, vulnerability assessments and the tools used to perform them do identify the first step an attacker might take to access systems and data.

Vulnerability assessments do not comprehensively quantify the potential impact of findings or identify the remediation issues that should be the organization’s real priorities.

Penetration Tests
Penetration testing, often referred to as “pentesting” or “ethical hacking,” mimics a real-world attacker attempting to access systems and data. The penetration test identifies vulnerabilities and combines or “chains” them together to obtain unauthorized access to sensitive data or administrative control of systems housing sensitive information. Penetration testing typically uses vulnerability scanning software as well as other service-specific tools to efficiently get a picture of a company’s fundamental security in the allotted test time and to identify attack vectors into the organization.

Unlike vulnerability assessments, penetration tests can take into account mitigating controls and the potential impact of a vulnerability. Using the human factor, penetration tests can also chain together identified vulnerabilities in order to understand the potential impact of those vulnerabilities and to dive deeper into the environment, well past layer one.

The Necessity of Both
Both vulnerability assessments and penetration tests are critical to managing risk, and vulnerability management programs usually incorporate both.

The value of a penetration test’s analysis exceeds that of a vulnerability assessment because a penetration test’s scope is greater. The overall cost of pentesting, however, usually prohibits it from being done more than once a year. The simpler vulnerability assessment can usually be executed in-house and is often done quarterly or even monthly, in conjunction with regular vulnerability assessments.

  Vulnerability Assessment Penetration Test
Target identification X X
Layer-one vulnerability identification X X
Removal of false-positives   X
Vulnerability exploitation and compromise   X
Password strength analysis   X
File-share authorization analysis   X
User-rights examination   X
Egress traffic analysis   X
Password reuse analysis   X
Voice and data traffic segmentation   X
Service or application account privilege analysis   X

To sum up:

  Pros Cons
Vulnerability Assessment
  • Enables automation of thousands of security checks
  • Quickly assesses the entire network
  • Typically integrates into the organization’s threat and vulnerability management program
  • Serves as a useful layer-one remediation test
  • Identifies easy targets
  • Can usually be done in-house with easily available tools
  • Generates an overwhelming, incoherent amount of data
  • Usually results in some false-positive findings
  • Ranks risks without taking business impact into account
  • Does not chain together vulnerabilities to determine the overall impact
  • Fails to identify logical attack vectors such as password reuse and application logic flaws
  • Produces remediation recommendations that are often generic and based on tool output
Penetration Test
  • Takes into account mitigating controls when risk-ranking vulnerabilities
  • Allows for proper business impact analysis of identified issues
  • Uses the human factor to identify process and logic security flaws
  • Enables the chaining together of vulnerabilities to understand the full impact of all discovered issues
  • Removes false-positives from all layers of the security model
  • Provides logical, realistic recommendations that fit the organization
  • Heavily depends on the delivery team’s skills
  • Requires significantly more time and effort than a vulnerability assessment
  • Usually requires hiring an outside firm, because most organizations do not have the necessary skills in-house for pentesting


CIOs, audit personnel, and information security officers need to be aware of these two types of assessments and the value of each. The better CIOs and risk managers understand both types of assessments, the better an organization’s comprehensive security strategy will fit the business’s overall goals.