Vulnerability AssessmentPenetration Test
Typical Use CasesFormal vulnerability management, compliance, routine audits.Formal vulnerability management, identifying and remediating vulnerabilities not discovered by vulnerability scanning alone, determining risk of real-world attack vectors, threat modeling.
ApproachTends to center on automated scanning.Automated scanning supplemented by additional tools and manual techniques (whatever it takes for vulnerability identification and exploitation). Utilizes multiple stages of the attacker kill chain.
Quantity vs. QualityEnumerates as many vulnerabilities as possible.Focuses on finding and exploiting a few high quality vulnerabilities.
Example ToolsStandard scanners such as Nessus, OpenVAS, Nmap, and Burp Suite Pro’s Active Scanner.Vulnerability assessment tools plus additional testing and exploitation tools such as Burp Suite Pro’s Intruder and Repeater, SQLmap, Metasploit, custom code, and other tools including the offensive arsenal provided by Kali.
SpeedRelatively fast.Relatively slow.
AccuracyFalse positives, false negatives, and incomplete findings are more likely.False positives can be weeded out and are ultimately unlikely, findings can be confirmed and exploited.
LOEMostly automated, sometimes supplemented by some manual testing and confirmation.Some automated, but emphasis on manual testing and exploitation.
Types of Vulnerabilities IdentifiedKnown vulnerabilities, “low hanging fruit”, some incomplete findings.Known vulnerabilities but also unknown (0-day) vulnerabilities, especially in custom infrastructure/apps.
Validation and Exploitation of Identified VulnerabilitiesLimited validation and no exploitation.Additional testing and exploitation leading to validation of vulnerabilities and their real-world exploitability.
Noise Level / Detectability High.Low-Medium.
Risk of Damage to Production SystemsVery low risk, unless scan traffic volume becomes an issue and is not throttled properly (e.g. unexpected DoS condition).Slightly higher risk, though exploits are typically limited in scope and designed to be a proof of concept.