What is the difference between a Vulnerability Assessment and a Penetration Test?

5th May 2021  |  Lauren Hill, Security Consultant

This is a question we get asked a lot. It’s important to know what you need from the start to make sure you get the service you want. Even if you’re a digital native, our industry is filled with TLA (Three Letter Acronyms) that can make price comparison more difficult than it needs to be.

What are your needs?


Do you need a broad view of your organisation’s security posture? You think you’re doing a great job but need to find out those unknown quantities. You might know some things aren’t perfect but what does that mean for your security posture? Or do you have a specific web application or network requiring a deep dive to help you understand a more advanced security posture?

Compliance and due diligence;

You might need to gain a level of certification that your customers expect so you can provide independent reassurance. This ranges from a vulnerability assessment to Cyber Essentials Certification right up to a Penetration Test.


Are you after a prioritised list of mitigating steps based on the risk level to your organisation identifying misconfigurations and unpatched vulnerabilities? Or do you want to know how your organisation would stand in an attack scenario? What is the worst that could happen so that I can stop it before it happens?


Vulnerability Scan

Penetration Test


Breadth over depth

Depth over breadth

Security Controls

Identify areas of improvement

Actively test implementation


Find misconfigurations and default settings

Try and bypass controls in place


Passive scan against a list of Common Vulnerabilities (CVE)with prioritised remediation.

Exploit as many vulnerabilities in the time given. Specific to your hardware and software environment.


Potential false positives must be identified.

Specific to a speciality such as Web App, Network or Service. Trying to mimic a real attacker’s behaviour and methods.


Usually, a day or less, depending upon the number of target IP domains

Most often starting with several days or more depending upon the domain number and size

As you can see a Vulnerability scan is far more automated and passive. Whereas a Penetration test tries to see what a malicious attacker would attempt from the latest skills, tools and knowledge from the cutting edge.

Either way, we support you to maximize your IT resources and target focus on the things that count. In the end, it gives you peace of mind, knowing your security posture strengths and weaknesses.

Vulnerability vs. Exploit – what’s the difference and why do I care?

Like most things in life we often find out the hard way – but those are the things we remember the most. We’ve all been there.

A vulnerability is very often a mistake, sometimes we realise in time and sometimes they come back to haunt us. It’s the second nasty type that makes a vulnerability. It could be small, and not even seem like a mistake, like leaving a spare key under the flower pot at the back door. Or it could be big, like leaving your key in the front door!  (Please don’t try this at home).

An attacker exploits the vulnerability in order to gain access to your system. Without an enabling vulnerability, it’s not possible for someone with malicious intent to attack. This is why updates are so important. Updates are most often our best and easiest way to remove our vulnerabilities.

The time it takes from awareness of an enabling vulnerability to an exploit seen in the wild is most often 15 days. This is why the government’s Cyber Essentials Certification requires organisations to apply patching within 14 days for High and Critical security updates.

To learn more about Cyber Essentials Certification and how to protect yourself and your organisation email sales@d2na.com today. 

Subscribe to Our Newsletter


500 King Street, Longton, Stoke-on-Trent, ST3 1EZ

Need Help?