What is the difference between a Vulnerability Scan and a Penetration Test?

Vulnerability Scanning and Penetration Testing are terms that are often interchanged and even confused for the same activity, and while they are similar, they are not the same. So what are the key differences, and how and when should they be carried out?

What is a Vulnerability Scan?

A Vulnerability Scan is performed within your network, systems, services, or applications in the security perimeter concerned. Generally speaking, a Vulnerability Scan is fully automated, providing detailed reports on vulnerabilities found such as out-of-date frameworks and dependencies, publicly known exploits, loopholes, and common configuration issues that could lead to further vulnerabilities.

Typically, these scans are run with tools like Tenable Nessus, Rapid7 Nexpose, and Qualys, among many others, and may be tailored to your requirements.

A Vulnerability Scan is limited to providing a report on raw data and is, for the most part, unable to paint a full picture of where greater issues can arise.

One major difference between using a scanning tool and a human tester is understanding where the pieces of the puzzle can come together, such as chaining low-level vulnerabilities into a high-level critical exploit which may need far more urgent and immediate action than a scan report may suggest.

While often very detailed and including information like CVE details, CVSS scores, and overviews of the vulnerability, etc., there are often false positives presented in even the most finely tuned scans due to the lack of a discerning human eye and experience. Depending on the level of the report, the provided data may still require significant human attention to filter through and further verify, as a scan does not attempt to actively exploit its findings.

What is a Penetration Test?

As suggested by its name, a Penetration Test is a test that attempts to penetrate a system or service from outside of the security perimeter.

A Penetration Test is handled by a human penetration tester and aided by the many tools and techniques available to them, to identify and further exploit any vulnerabilities found on the subject of the test.

Having a human rather than an automated tool may be slower and more expensive on a per-engagement basis, but can provide more accurate results limiting false positives, and providing proof of concept exploitation, experience-driven vulnerability overviews, exploit pivoting, and quality remediation advice with the context of your system or service in mind.

Another advantage of a Penetration Test over a Vulnerability Scan is the ability to research on the fly, find unknown exploits including Zero Days, and find vulnerabilities that may not have been added to the Vulnerability Scanners library yet.

What and When?

While it may seem that a Penetration Test may be the best overall service to take due to its accuracy, there is a time and a place for both services, or even have them work hand in hand.

Where security is concerned, both services are valid but are not providing the complete picture when they are used separately.

Due to the automated nature of a vulnerability scanning tool, it can be set to scan at specified intervals to report changes between two or more points in time, providing a real-time surface view of your systems, network, or other services, and generating a human-friendly report, all whilst running hands-off in the background.

A penetration tester can interpret reports provided by a vulnerability scan and this can supplement a penetration test itself, in many cases helping the human tester speed up the overall engagement by targeting identified points of vulnerability rather than having to manually find them.

Both a Vulnerability Scan and a Penetration Test have their strengths and weaknesses and typically speaking, one’s strength covers the weakness of the other.

It isn’t uncommon for an organization to have a vulnerability scanner conducting day-to-day scans of systems and networks, and periodically have a human penetration tester validate and carry out further tests based on the outputs provided by the scanner. When used together in this way, you can achieve the highest level of security assurance for your organisation.