What is the difference between a penetration test and a vulnerability assessment?
Overview
The difference between a vulnerability assessment and a penetration test is essentially the difference between seeing a vulnerability and exploiting a vulnerability.
What is a vulnerability assessment?
A vulnerability assessment simply scans your network or systems for vulnerabilities that may be present based on the opened ports and exposed services. This assessment simply tells you what vulnerabilities are present, but they are not exploited.
What is a penetration test?
A penetration test on the other hand actually identifies vulnerabilities and exploits are attempted. The purpose of a penetration test is to demonstrate impact and help the organization understand how a vulnerability may be used to gain access to systems and/or resources that may be deemed valuable and confidential.
When to run one or the other
Determining which type of assessment to run really depends on the goal you're wanting to accomplish. If you'd like to determine how vulnerabilities can be used to compromise your organization's network and understand how an attacker may be able to move laterally, then a penetration test is the assessment you want to run. Alternatively, if you just want to identify vulnerabilities, but not exploit them or see how they can be used, then you should run a vulnerability assessment.
For more information on the differences between a penetration test and a vulnerability assessment, refer to the following blog article: Penetration Test vs Vulnerability Assessment: What's the difference?