If you are debating whether to purchase a Vulnerability Assessment or a Penetration test, or simply want to learn more about the differences between them - have a read of our comparisons below:

Vulnerability Assessment vs. Penetration Test:

The scope of a Vulnerability Assessment (VA) is very broad - it intends to provide you with a comprehensive overview of the current vulnerabilities existing across your IT & Web Infrastructure. The scope of a Penetration Test, in comparison, is very narrow - it usually targets a specific endpoint in your network (such as a Firewall), or a specific endpoint in your Web infrastructure (such as a Web Application). 

Because the scope differs, the depth of knowledge/insight gained from the two forms of assessment also differs. Vulnerability Assessment's will provide you with a wide-ranging and relatively detailed awareness of your vulnerabilities. This is achieved by searching for elements of your IT infrastructure that may be insecurely designed, poorly monitored or insecurely configured, outdated, or lacking protection - then identifying the common vulnerabilities associated with such misconfigurations. These vulnerabilities are publicly disclosed by the National Vulnerability Database (NVD), and are identified by their corresponding CVE ID and Severity Rating. 

In contrast, a Penetration Test confirms a suspected vulnerability as a probable attack vector by actively testing it using a wide-range of Tactics, Techniques and Procedures (TTPs). Hence, a Penetration Test not only proves that a suspected vulnerability can be compromised, but also details the particular attack types that can be used to exploit the vulnerability, and what the outcomes of each route of attack would look like. This detailed information is why a Penetration Test is considered to be a far more in-depth analysis of a vulnerability, as opposed to a Vulnerability Assessment.

With the above in mind, the reasoning behind each assessment varies. Vulnerability Assessment's are usually performed to gain a broad understanding of the organisation's cyber security posture, and to identify areas for improvement. Penetration Tests are usually performed with a particular endpoint in mind - for example when someone is developing a new Web App that is about to be released to the public, or when you want to test the effectiveness of your network firewall. 

For the purposes of preventing Supply Chain Hacking, organisation's often ask for suppliers to perform a Vulnerability Assessment and Penetration Testing (VAPT). In these cases, both assessments may be performed together if necessary. 

Summary Table:

Which should I choose?

Unless you have been asked to perform a Penetration Test, or have a concern regarding a specific element of your IT system - you should typically perform a Vulnerability Assessment before a Penetration Test. 

The broad awareness of vulnerabilities gained from performing a Vulnerability Assessment will enable you to begin implementing defences across your entire IT infrastructure. This provides a far stronger foundation upon which to start building or improving your cyber security, as opposed to more specific security improvements you could implement after performing a Penetration Test.

If I get a Penetration Test, do I still need a Vulnerability Assessment?

Yes.  A Penetration Test will only inform you of the vulnerabilities existing in a specific component of your IT infrastructure. If you perform a Penetration Test without conducting any other assessment, you will be greatly underinformed as to the majority of your cyber security weaknesses. 

In order to gain sufficient knowledge of your current cyber security posture, you should to perform a Vulnerability Assessment. In general, you should consider a Vulnerability Assessment (or a vulnerability management programme) an absolute necessity for any IT Infrastructure and a Penetration Test as a possible requirement depending upon your specific IT Infrastructure setup.