The difference between penetration tests and vulnerability scans is a common source of confusion. While both are important tools for cyber risk analysis and are mandated under PCI DSS, HIPAA, and other security standards and frameworks, they are quite different. Let’s examine the similarities and differences between vulnerability scans and penetration tests.

What Is a Penetration Test?

A penetration test, also known as a pen test or a white-hat attack, seeks to simulate the actions of a criminal hacker attempting to break into a network, computer system, or web application, using a targeted approach to see if its security features can be defeated. While penetration tests can be automated to some extent, there is always human involvement somewhere in the process; to meet PCI DSS standards, penetration testing cannot be fully automated, although automated tools and the results of a vulnerability scan can be utilized.

A diligent pen tester does not give up easily. If a pen test is foiled by one defense, the tester adapts and tries another attack vector, just like a cyber criminal would; this is why a human with cyber security expertise must be involved. Depending on its scope, penetration testing may also involve simulated real-world attacks such as social engineering schemes or attempts to breach physical defenses and access hardware.

While penetration testing can theoretically be performed on the entire enterprise infrastructure and all applications, due to the time and expertise involved, this is impractical. Generally, pen testing focuses on the network or application level or on a certain department, function, or asset.

What Is a Vulnerability Scan?

Unlike penetration tests, which attempt to break through vulnerabilities, vulnerability scans seek to identify, rank, and report on security vulnerabilities, not break through them. Vulnerability scans are also far broader in scope than pen tests, covering the entire enterprise. They are also fully automated, though a cyber security professional must examine the issues identified by the scan and determine how to mitigate them. A scan report will typically prioritize discovered vulnerabilities according to urgency, severity, and ease of fix, as well as offer suggestions on how to make fixes.

Vulnerability scans are performed more often than penetration tests, and because they are automated, they can be scheduled to run automatically. The PCI DSS, for example, requires that organizations perform vulnerability scans at least quarterly, while penetration tests are required at least annually. Both tests should be performed anytime significant changes have been made to the data environment.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.