Brian Morkert, GCSIT Director of Security Services

These terms are often used interchangeably, but there is a distinct difference in the scope and activities performed. In a nutshell, a penetration test answers the question “Can someone break into my organization?” where a vulnerability assessment answers the question “How could someone break into my organization?” 


Let’s say you have a house with a fence around it. In a penetration test the goal would be to find a single hole in the fence to first gain access to your yard. From there, the goal might be to identify a single unlocked window or door to access your house and ultimately gain access to your valuable possessions. 


When conducting a vulnerability assessment, using the same analogy, the goal would be to identify ALL of the holes in the fence, check all windows and doors to see if they’re locked as well as any other potential entry points. 


Both penetration testing and vulnerability assessment can and should be conducted from multiple perspectives – Internal and External. Your security infrastructure should be constructed in layers to detect and prevent both types of attacks.


The purpose of conducting an internal penetration test or vulnerability assessment is to identify weaknesses within your internal security infrastructure that could be exploited by a disgruntled employee or anyone who has access to your internal network.

Further, vulnerability assessments should be conducted from both unauthenticated and authenticated (domain admin) perspectives. Vulnerability assessments conducted with domain administrator credentials provide specific visibility into the effectiveness of your patch management program particularly with third party applications. Credentialed scans also often identify configuration weaknesses that are often missed with unauthenticated scans. Detection, containment, and recovery are critical components to combating today's advanced malware and attacks. An effective defense program addresses all stages of advanced attacks by protecting against inbound attacks, outbound callbacks, and malware executable downloads.


For most organizations, a vulnerability assessment is a better value as it identifies a greater depth of control weakness across a much broader spectrum than penetration testing does and provides clients with a complete diagnostic view of their information security program.

To find out more about vulnerability and penetration testing, email and one of our security experts will get in touch with you shortly.