A Vulnerability Scan is NOT a Penetration Test. Unfortunately, when we perform vendor reviews or risk analyses, we often see that organizations get these two terms mixed. As cybersecurity professionals, we need to step up and educate others about the differences so companies get the accurate services they need (and paid for) and they achieve their compliance goals. We also need to speak to our colleagues that advertise penetration testing services, but are actually performing vulnerability scans as it does not help our industry or cybersecurity as a whole.
Here is a quick high-level guide to help clarify the differences.
- Exploitation – penetration tests exploit vulnerabilities to gain additional access. Vulnerability scans search for vulnerabilities, but don’t exploit them.
- Automation – vulnerability scans are automated processes. An individual configures the scan and then the program does all of the scanning for vulnerabilities. Penetration Testing is largely a manual process although the security professional often uses an array of tools to assist including vulnerability scanners. Penetration Testing requires a more advanced skill set as the security professional needs to find new ways of compromising systems.
- Attack Simulation – a penetration test simulates a full cyber attack from initial reconnaissance to active testing to obtaining credentials to elevating privileges to accessing data to exfiltration of the data. A vulnerability scan typically consists of a single attack phase.
- Cost – since penetration testing requires a more advanced skill set, performs a more comprehensive analysis, and takes more time, the cost is much higher.
- Frequency – since vulnerability scans are less expensive and are quicker to perform, they are performed more frequently than penetration testing. While there is much flexibility on the frequency, vulnerability scans are usually performed daily, weekly, or monthly. Penetration Testing is usually performed annually or after major changes in an environment.
While there are a number of differences, both penetration testing and vulnerability scanning are best practices in a security program.