What is Pentesting, Vulnerability Scanning, which one do you need?

I get very often asked about these two concepts and I noticed that there is a lot of unclarity around these topics.

At the end, I will tell you my own opinion and give you some advices.


Vulnerability scan

Also known as Vulnerability Assessment, looks for known vulnerabilities in your systems and reports potential exposures.

Vulnerability assessments are performed by using an off-the-shelf software package, such as Nessus or OpenVas to scan an IP address or range of IP addresses for known vulnerabilities.

For example, the software has signatures for the Heartbleed bug or missing Apache web server patches and will alert if found. The software then produces a report that lists out found vulnerabilities and (depending on the software and options selected) will give an indication of the severity of the vulnerability and basic remediation steps.

It’s important to keep in mind that these scanners use a list of known vulnerabilities, meaning they are already known to the security community, hackers and the software vendors. There are vulnerabilities that are unknown to the public at large and these scanners will not find them.


Penetration test (aka “pentest”)

Designed to actually exploit weaknesses in the architecture of your systems.   Where a vulnerability scan can be automated, a penetration test requires various levels of expertise within your scope of systems.   In short a technician runs a vulnerability scan while a hacker performs a penetration test. In this light, you have to think of a pentest as a two steps process:

  1. Vulnerability Assessment – produces the list of exploitable weaknesses
  2. Exploitation of the vulnerabilities

When you think to pentesting, you need to think of hackers. A good pentest would simulate the same conditions a hacker would have when he wants to hack your system. This is also the reason why pentesting is so hard to do.

Penetration tests can also be performed using automated tools, such as Metasploit, but experienced testers will write their own exploits from scratch.


Here is a table help understand the difference between Vulnerability Scan & Penetration Test (from [2]):

Vulnerability ScanPenetration Test
How often to runContinuously, especially after new equipment is loadedOnce a year
ReportsComprehensive baseline of what vulnerabilities exist and changes from the last reportShort and to the point, identifies what data was actually compromised
MetricsLists known software vulnerabilities that may be exploitedDiscovers unknown and exploitable exposures to normal business processes
Performed byIn house staff, increases expertise and knowledge of normal security profile.Independent outside service
Required in regulationsFFIEC; GLBA; PCI DSSFFIEC; GLBA; PCI DSS
ExpenseLow to moderate: about $1200 / yr + staff timeHigh: about $10,000 per year outside consultancy
ValueDetective control, used to detect when equipment is compromised.Preventative control used to reduce exposures

Who can do this?

There are various certifications for both vulnerability assessment and penetration testing.

Here is an overview:




My opinion

I think that both are useful and they should be done as mentioned above.

However, I want to emphasize the fact that both these activities are purely reactive: this means that you just detect what is already there.

And of course, what others might have probably detected before you.

What I can definitely say is this: you need Vulnerability Assessment before you do a PenTest.

The first is “this could happen”, the second is “this is how the vulnerability can be exploited”.

I like more the proactive approach: Secure Software Development and a Secure Product Lifecycle.

More about these in future posts.



  1. http://www.csoonline.com/article/2921148/network-security/whats-the-difference-between-a-vulnerability-scan-penetration-test-and-a-risk-analysis.html
  2. http://www.tns.com/PenTestvsVScan.asp

© Copyright 2016 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since year 2000 in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is an independent IT Security Consultant focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .
%d bloggers like this:

By continuing to use the site, you agree to the use of cookies and to its Privacy Policy more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.