Pentesting vs. vulnerability scanning

A common conversation I have with clients involves talking about the differences between pentesting and vulnerability scanning.  I can see why: the two terms often get used interchangeably by both customers and security firms.  And while Wikipedia has some good basic definitions of pentesting and vulnerability scanning, there still seems to be a lot of confusion about what customers expect when it comes to engaging in one or the other.

Vulnerability scan

A vulnerability scan is a surface-level look at your systems for weaknesses (things like missing patches, misconfigurations, weak passwords) that someone could leverage in an attack, but we won’t actually do those things during a vulnerability scan.

A vulnerability scan is typically a few thousand dollars (depending on the size of the network, number of physical locations that need to be visited, etc.) and is not usually disruptive to endpoints. So (in most cases) it can be run during the day.

Penetration test

In a penetration test we would actually do the things identified in a vulnerability scan and leverage them to their full extent.  This would include cracking user passwords, running exploits to take control of systems, exfiltrating sensitive data and planting backdoors.

A penetration test is generally a longer and more expensive engagement (compared to a vulnerability scan), and can be disruptive to systems.  It requires much more planning, scoping and discussions up front.

When I’ve shared that explanation in the past, I’ve gotten some blank stares and/or angry looks.  The reason is that many companies have paid top dollar for what they thought was a full penetration test when it was actually just a basic vulnerability scan.

If you have further questions about your next vulnerability scan or penetration test, please contact us.  We would love to help.