Skip to the content

Penetration Test Versus Vulnerability Assessment

Penetration Test Versus Vulnerability Assessment

The Difference Between Technical Security Weaknesses Discovery Techniques

For years customers have been confused what is the difference between a Penetration Test and a Vulnerability Assessment, with CREST officially launching separate accreditation for the two techniques now. Read this article to learn more.


Vulnerability Assessments are most often used by organisations when they want to identify the vulnerabilities present in their infrastructure and get a high-level overview of their security posture. It involves an external approach and includes automated processes.


"Vulnerability assessment (sometimes referred to as ‘scanning’) is the use of automated tools to identify known common vulnerabilities in a system’s configuration."

Through this exercise, the company can discover system and software vulnerabilities. Examples of well-known software issues, often patched through updates, include remote code execution, denial of service, information disclosure.

Vulnerability Assessments are useful for companies who do not have visibility or understanding of their security posture. For organisations with legacy infrastructure, it is a quick, cost-effective way to identify and focus on software versions and systems that can be fixed easily.

Bigger organisations tend to perform a Vulnerability Assessment at least every quarter, as both a Penetration Test and Vulnerability Assessment provide a correct analysis of your security posture at the time of examination.

There are different levels of a Vulnerability Assessment. The automated part does not require highly skilled engineers, which may be the service you get from certain vendors. However, our experience and team bring additional value through Open Source Intelligence (OSINT) gathering exercises as well as the aftercare we are able to provide customers.

A Penetration Test is different to a Vulnerability Assessment as it not only identifies cyber issues within the company’s infrastructure, systems and operations but also exploits these vulnerabilities and if necessarily combines them to achieve a specific objective.

For example, if the Pen Tester’s objective is to gain internal network access they would find a vulnerability that allows them to upload files, then another one that lets them find those files, and another one that marries these up to execute something malicious.


"A Penetration Test is typically an assessment of IT infrastructure, networks and business applications to identify attack vectors, vulnerabilities and control weaknesses."

We use a simple allegory to a network - a house. A vulnerability Assessment would identify problem areas such as a rusty lock, a half-opened window, a garbage bin that someone can step on, but stop at that. A Penetration Test would also involve someone trying to exploit these findings to break into the house – checking if the rusty lock is unlocked or if they can step on the garbage bin to access the opened window.

However, while a Pen Test brings more value to a company compared to a Vulnerability Assessment, both have their uses and applications. It allows for a staged approach, as without a prior vulnerability assessment a Pen Test report may include an overwhelmingly long list of issues.

A Vulnerability Assessment allows an engineer to have a more targeted Pen Test approach adding more value to the customers. However, a Pen Test requires more resources, manual checks and even physical attempts to achieve a malicious cyber objective. It takes much longer compared to a Vulnerability Assessment. The latter would typically take a maximum of a day, while a penetration test can require more than several days of onsite work. The Chess Pen Testers will perform a vulnerability check as part of the exercise unless the assignment requires ‘undercover’ work since the software for this can be rather ‘noisy’.


Source: A guide for running an effective Penetration Testing programme, CREST


It is important to note that both a Vulnerability Assessment and a Pen Test are only worthwhile if the organisation actions the remediation actions from the reports, proactively tries to change and improve their security posture.

CREST is an international not-for-profit accreditation and certification body that represents and supports the technical information security market (Source: CREST).

CREST officially launched a Vulnerability Assessment (VA) Accreditation discipline from the 1st of October, which Chess is certified under along with Cyber Essentials, Cyber Essentials Plus and Penetration Testing.

Among the benefits of using a CREST certified provider are the objectivity and the quality guarantee. All reports created by Chess’ Pen Test team are vendor agnostic, performed under strict NDAs, kept completely separate to the rest of the business, including other engineers and sales team. This means that while our Pen Testers can make solution recommendation based on an identified vulnerability, they will not be biased towards a vendor that may offer such solutions.

Check our blog for more Pen Testing content or our site to learn more. For further information you can email our team or contact us on 0330 107 7860.



Chess is one of the UK’s leading independent and trusted technology service providers, employing 300 skilled people across the UK, supporting over 20,000 organisations.

 By leveraging world-class technology, Chess helps you to connect your people, protect your data, grow your business, reduce your costs and work better together, which means your business, your people and your customers can thrive.

At Chess, we’re passionate about our unique culture and our continuous investment in our people to be industry experts. We’re extremely proud that our people voted us No.1 in ‘The Sunday Times 100 Best Companies to Work for’ list 2018, and we continue to celebrate more than ten years in the top 100.

Speak to a Product Specialist

You can fill out the form and one of our product specialists will contact you shortly with more information.
To contact our Sales team directly, please call 0344 770 6000 and choose option 4.
Customer Service
For general queries or to report a non-urgent fault, please log a ticket on our customer portal using the email address associated with your account. Logging a ticket is quick and easy to do. Once you have logged your ticket, we will respond within 24 hours or your Service Level Agreement, whichever is quicker.
I agree for my information to be used for marketing communications.
Chess Privacy Notice

By submitting your personal information through this form, you consent to your information being processed in accordance with the Chess group privacy notice.