Vulnerability Scanning vs. Penetration Testing

Do you understand the difference?

Simply put, vulnerability scanning is passive and penetration testing is active.  Both of these assessments/tests have value and both can assist in your overall ability to evaluate your external security exposure.

So, why do either (or both)? Well, for starters because the hackers are doing both too. But also, this can be compared to your annual medical exam. Even if you believe you are healthy, your physician will run a series of tests to detect dangers that have not yet developed symptoms.  Let’s look more specifically at how each of these tests is conducted and what the outcomes are.

External Vulnerability Assessment

External Vulnerability Scanning is non-intrusive.  The purpose is not to attempt to exploit the vulnerabilities.   The analysis is designed to determine if it is possible for external parties to access your systems.  So, the focus is more on potential threats.  The outcome is a score-based rating system and remediation recommendations are provided to help address any issues found.  This is a sample of the report provided:

External Penetration Assessment

External Penetration testing focuses on the critical threats to your organization.  This test consists of manual processes that mimic a bad actor and their techniques.  With your approval, a security professional or vCISO attempts to gain access to your environment to try to exploit any vulnerabilities.  After successfully exploiting your perimeter, the security professional or vCISO then attempt lateral movement within your network.

Conducting an Assessment

When is the last time you truly tested your network and had a view of what you were exposing to the outside world? Peters & Associates offers a full range of Information Technology Security Assessments and Managed IT Services.  External scoping options may include all or a combination of these options:

Our external vulnerability assessments, penetration tests, and black box testing options include deliverables that contain remediation recommendations. Contact us at to learn more!

By |2019-02-28T14:32:18-05:00February 5th, 2019|Security Solutions|Comments Off on Vulnerability Scanning vs. Penetration Testing

About the Author:

Marcia serves as a senior project manager at Peters & Associates on the cutting edge of network technology. She works with her clients to assess, design and implement projects ranging from information security frameworks to on prem and cloud initiatives. With 25 years of experience in IT, she realizes financial advantages and user efficiencies for her clients by conceptualizing technical solutions for even their most complex business problems. Marcia has decades of experience managing technology adoption and compliance for the heavily regulated financial industry while delivering secure, resilient solutions on-time and on-budget. Marcia has leveraged a strong information security background to drive organizational compliance for customers as well as Peters & Associates own CompTIA Security Trustmark+. To pair with her extensive technical expertise, Marcia excels at communicating with both end users and executives alike.