What’s the Difference between a Vulnerability Scan and a PEN Test?

Oct 5, 2021

We find that often customers become confused between a Vulnerability Scan and a Penetration (PEN) test.  We’ve created this table below to show the differences.  Basically, A vulnerability scan is an automated, high-level test that looks for and reports potential vulnerabilities. A penetration test is a detailed hands-on examination by an actual person that tries to detect and exploit weaknesses in your system.

TASKS

Vulnerability Assessment

Penetration “PEN” Testing

Performed by: Employee or Consultant 3rd Party Ethical Hacker
Performed with: Script Compilation of specific code
Tools Used: Qualys, Tenable, etc Nessus, Metasploit, Variety of tools
How Performed: Automated Manual
Expertise: Low High
Duration: 4 hours 1-20 days
Period: Monthly or less Yearly or more for incident response
False Positives: High N/A
Profile: Passive Dynamic
Disruptive: Low High
Purpose: Review of weaknesses Analysis of compromisable systems
Medical Analogy: Single X-ray Series of MRIs
Motivation: Good Cyber Hygiene Due Diligence
Results: List of open ports, missing patches Description of attempts blocked or vulnerabilities
Looking to Identify: SW vulnerabilities Insecure Business practices
Examples of Findings: Unpatched SW, obscure protocols… Credential violations, clear text transmissions
Importance: Mandatory Good practice
Remediation: Patching, Upgrading, … Hardening, Re-design, vendor swap
Cost: $100/IP address $15K
Variations: Scan Black-Box: Zero knowledge of Network
Assessment Gray Box: Partial knowledge of Network
White Box: Full Knowledge of Network

Recent Updates

Apache Log4j Vulnerability

A severe vulnerability was identified in Apache Log4j.   Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information.  A bug in Log4j...

7 Top Tips for Cyber Security Awareness Month

7 Top Tips for Cyber Security Awareness Month

For 18 years, CISA and the National Cyber Security Alliance (NCSA) continue to raise awareness about the importance of cybersecurity across our Nation, ensuring that we all have the resources we need to be safer and more secure online.  The following tips would be...

Events

There are no upcoming events at this time.