What's the difference between vulnerability scanning and penetration testing?
Pentesting vs. vulnerability scanning
A common conversation I have with clients involves talking about the differences between pentesting and vulnerability scanning. I can see why: the two terms often get used interchangeably by both customers and security firms. And while Wikipedia has some good basic definitions of pentesting and vulnerability scanning, there still seems to be a lot of confusion about what customers expect when it comes to engaging in one or the other.
In a recent email to a prospective client, here's what I offered as an explanation of how these two exercises differ from each other:
A vulnerability scan is a surface-level look at your systems for weaknesses (things like missing patches, misconfigurations, weak passwords) that someone could leverage in an attack, but we won't actually do those things during a vulnerability scan.
A vulnerability scan is typically a few thousand dollars (depending on the size of the network, number of physical locations that need to be visited, etc.) and is not usually disruptive to endpoints. So (in most cases) it can be run during the day.
In a penetration test we would actually do the things identified in a vulnerability scan and leverage them to their full extent. This would include cracking user passwords, running exploits to take control of systems, exfiltrating sensitive data and planting backdoors.
A penetration test is generally a longer and more expensive engagement (compared to a vulnerability scan), and can be disruptive to systems. It requires much more planning, scoping and discussions up front.
When I've shared that explanation in the past, I've gotten some blank stares and/or angry looks. The reason is that many companies have paid top dollar for what they thought was a full penetration test when it was actually just a basic vulnerability scan.
If you have further questions about your next vulnerability scan or penetration test, please give me a shout. I'd love to help.
Also, I welcome you to check out BPATTY (which stands for Brian's Pentesting and Technical Tips for You), which contains a ton of vulnerability scanning and pentesting info!