How to Distinguish Between a Vulnerability Test and a Penetration Test

Vulnerability scans look for known vulnerabilities in your systems and report on them.

I like to use a door lock analogy here. Let’s say you bought a Schlage door lock from Home Depot. A month later, you get a notification that your lock doesn’t quite lock correctly. If a burglar were to tap on the lock ten times, the lock would just open. Schlage released a bulletin about this and called it the 10-tap vulnerability. The Schlage lock company issued a part replacement that you could install in the lock to make sure that the 10-tap vulnerability is no longer present.

If a home inspector were running an analysis of your house, they might look to check that (1) you have the Schlage lock model that has the vulnerability or (2) check that the fix to the 10-tap vulnerability was in place. They would give you a report that your lock is or is not susceptible to the 10-tap flaw.

In essence, that home inspector was performing a vulnerability assessment—looking for weaknesses in your home. If he found that the 10-tap vulnerability was there, he would let you know it was an issue.

When your team performs a vulnerability assessment or scan of a network, they look for vulnerabilities present on the network. These are known problems—maybe patches, configurations, or permissions levels, for instance, that may be cause for concern. Your report alerts someone to potential problems on their network and reports out on those concerns. That’s as far as you’re going here.

A penetration test goes a bit further.

Penetration tests are used to exploit weaknesses in the system. These tests would exploit the vulnerabilities to show the consequence of not taking action.

Going back to the door lock analogy, if the home inspector actually tapped the lock ten times to try to gain entry, they’d attempt to exploit the 10-tap vulnerability.

To learn more about how we can help your business, reach out to us at 321-259-5500 and let our expertise speak for itself.