Pen Test vs Vulnerability Scan: How to Tell the Difference and Why It Matters

Visual-Portada-Pen-Test-vs-Vul-Scan

Knowing that a lock might fail is useful, but it's not the same as kicking the door in and seeing how long it would take to steal your grandmother’s wedding ring.

Comparing a pen test to a vulnerability scan is a similar kind of “theory versus practice” question.

Vulnerability scanning shows you (some of) the software vulnerabilities that weaken your environment. Penetration testing (pen testing) pits an ethical hacker against your systems, demonstrating how a compromise would go down in the real world.

For security teams, this difference matters because:

You might read a vulnerability scan report and assume you have a certain level of risk based on the provided risk ratings. However, unless you do penetration testing on the same system, you won’t really know what your attack surface looks like.

This blog post goes deeper into why understanding the use cases for a pen test vs a vulnerability scan matters.


What Is a Vulnerability Scan?

A vulnerability scan is a comparison of the software in your environment to known Common Vulnerabilities and Exposures (CVEs).

At the end of a vulnerability scan, you will receive a list of known vulnerabilities the scanner has found in your environment.

Over a period ranging from a few minutes to a few hours, a scanner will look for known vulnerabilities in the environment it is designed for. The report you get when the scan finishes will tell you how many vulnerabilities of different severity levels the scanner found in the scanning target.

Vulnerability scanners are an essential security tool, but depending on your goals, their results might need further investigation from human testers.

Over 28,000 vulnerabilities were published in 2023 alone. Some, due to their exploitability, create extreme risk, but not all are dangerous.

Without manual verification, vulnerability scans:

Vulnerability scanners are still an essential security tool. They help security teams cover patch management by checking every detected software version for known vulnerabilities affecting that specific version.

Vulnerability scanners are also able to check for default/weak credentials in a variety of services and can identify some level of information leakage.

However, vulnerability scanners are only a tool, not a replacement for penetration testing.

Even the smartest vulnerability scanners cannot do “human” things like joining the dots between unrelated, often seemingly harmless, vulnerabilities to open up system-level compromise.


What Is Pen Testing (Compared to Vulnerability Testing)?

A pen test is a security exercise that simulates a real-world cyber attack on your environment to find weaknesses. The goal of a pentest is usually to identify all the vulnerabilities affecting the target systems and to exploit them in a risk-controlled manner to assess business impact.

Vulnerability scanning is a process within penetration testing. Pen tests often build on vulnerability scanning to see what vulnerabilities are present within an environment and assess the potential impact of exploiting them.

However, pen testers also scan environments with their own custom tools to identify potential vulnerabilities that vulnerability scanners won’t catch.

Additionally, penetration testers might have creative ideas that a vulnerability scanner cannot have. For example, “What if I try to send this type of request instead of the one the app expects?”

There are lots of vulnerabilities that a vulnerability scanner cannot identify (but a penetration test can), such as:


Pen Testing vs. Vulnerability Scanning According to Offensive Security Experts

To help show you where a vulnerability scan ends and a pen test begins, we asked our experienced penetration testing team.

Thanos Polychronis, SECFORCE’s Head of Adversary Simulation, explains that vulnerability scanners can miss exploitable vulnerabilities that allow attackers to move laterally.

“Imagine you test a web application, and after content enumeration, you find a page with a low-risk vulnerability that was not found by a vulnerability scanner. After testing it, you realise you can run an exploit that allows you to pivot inside the network, and eventually, you have control of the entire enterprise domain.”

He highlights how this kind of attack requires a multi-step approach and is based on findings, discovery, and trial and error.

“This is an attack vector that a vulnerability scanner alone would not be able to discover.”

António Quina, SECFORCE’s Technical Director, uses the example of an attacker taking user credentials they find in one place and trying them in other applications.

He says that an attacker could:

“Get a user's credentials, which potentially a vulnerability scanner could do, but then use those credentials to try to authenticate somewhere else. If the user has used the same password in multiple places [which over 65% of people have], you can gain access and then from there try to jump into other systems.”

Vulnerability scanners can be invaluable in finding vulnerabilities, but they don't connect the dots like humans do.

Real attackers are unpredictable. They often get into their target’s networks through apparently less critical vulnerabilities and then pivot their attacks into critical parts of the environment.

For this reason, including medium/low-risk vulnerabilities in a pentest report is important for assessing real-world cyber risk.

On their own, low-risk vulnerabilities may not pose much risk to an organisation, but combining individual lower-risk issues can create high risk and result in an attacker successfully compromising a system.

Here’s an example of a high-risk outcome coming from two lower-risk issues:

  1. An attacker might be able to enumerate users' emails on a system, which is, on its own, a low/medium risk.
  2. The attacker can then send the leaked email addresses a link with a payload to exploit a reflected XSS vulnerability affecting one of the organisation’s web apps (medium risk).
  3. The XSS payload redirects the recipients to a malicious website from where they download malware.

One exploit leads to another and another, and so on. Vulnerability scanners might show you the first part of a possible chain but not the whole thing.


Pen Testing vs.Vulnerability Scanning Comparison Table

To help you see the different use cases of vulnerability scanning versus penetration testing, we created the table below.

Tabla-Pen-Test-vs-Vulnerability-Scan

Both vulnerability scanning and pen testing identify vulnerabilities.

The core difference is that pen testing also exploits those vulnerabilities to see which ones are dangerous to your organisation and need immediate attention.

However, there really isn't a choice between vulnerability scanning and penetration testing.

You should do both.

Vulnerability scanning is a fundamental cybersecurity task and is the only way to do patch management properly.

Visual-Pen-Test_Vulnerability-Scan


When to Do a Vulnerability Scan Versus a Pen Test

Do a vulnerability scan on a monthly basis, if not more. Use your existing team and a vulnerability scanning tool designed for whatever environment(s) you operate. You might also want to hire an external team to validate the scan’s findings, i.e., to check for false positives. The findings will help you optimise your patch management processes.

Do a pen test whenever you release a new solution or change your infrastructure (for example, a new virtual private network), release a new API, deploy a new firewall, and move infrastructure to another site. As a rule, changes to your environment merit pen testing


Are You Being Sold a Vulnerability Scan Instead of a Penetration Test?

“If it's much cheaper than average, it may not be a pentest at all.”

This is the golden rule that our offensive security experts think buyers need to keep in mind.

Some offensive security firms will say/imply they provide pen testing but actually just do vulnerability scanning.

This mix-up can put you at immense risk. As we’ve already explained above, a vulnerability scan is not a substitute for a penetration test. Thinking that a penetration test has taken place when you have just undergone a vulnerability scan can lead to insecure systems, compliance failure, and potential breaches.

If you are contracting a penetration testing firm, here’s what to look out for to make sure you don't get a vulnerability scan instead.

Do the following before a penetration test takes place when reviewing proposals:


Get a Best-In-Class Penetration Test with SECFORCE

SECFORCE offers comprehensive penetration testing, helping to find flaws where others might not.

We can also review your testing programme and provide advice and approach to maximise your results and enhance your security posture.

Contact us to have a chat.

You may also be interested in...

Visual Hate Learning? Forget About Offensive Security
Nov. 11, 2024

Hate Learning? Forget About Offensive Security

We asked some of our industry experts to explain the kind of learning offensive security teams follow and turned their insights into this blog.

See more
Visual_Blog
June 27, 2024

DORA Scope Explained. Are You Impacted?

Designed to enhance and harmonise digital resilience within the European financial market, the Digital Operational Resilience Act will impact thousands of EU entities. Is yours one of them?

See more