Skip to the content

Gavin Wood, CTO at Chess, explains the difference between Vulnerability Assessment and Penetration Testing and their applications.


Vulnerability Assessments (VAs) are usually seen as a lesser service when compared to a Penetration Test (Pen Test). However, they are both an essential part of your information security program and should be part of your regular testing schedule.


What is a Vulnerability Assessment?


A Vulnerability Assessment is an automated activity that actively scans for possible security vulnerabilities within an internal or external infrastructure (including all systems, network devices and communication equipment connected to that network) that cybercriminals could exploit.

It is conducted against infrastructure IP addresses and produces a report to identify any issues found and allow you to resolve them.

Examples of issues could be:

  • Unpatched software
  • Misconfigured or open ports
  • Default credentials being used, e.g. admin/admin
  • Best practice configuration such as insecure communication protocols, e.g. older TLS versions

A Vulnerability Assessment is what you would start with if you have never had any security testing services. It’s the first step on your security testing journey and can be used to identify the immediate risks to your business, allowing you to take action to remediate quickly.

However, Vulnerability Assessments are also an essential part of ongoing testing. Therefore, they should be conducted regularly - once a month or quarter, depending on your rate of change and risk appetite. Running regular Vulnerability Assessments ensures that any changes such as a new server installation, a piece of software identified as out of date or a misconfiguration like a port being left open are caught as quickly as possible.

According to research from Sophos, a device connected to the internet was attacked within 52 seconds of going live. These attacks will start with essentially an automated malicious vulnerability scan, which are constantly run against internet IP addresses looking for known weaknesses in any infrastructure detected. Therefore, you must be running your own to ensure no gaps are available to be exploited.


So what is the difference between a Vulnerability Assessment and a Penetration Test?


A pen test goes further and deeper. An expert pen tester (sometimes known as ethical or white-hat hackers) will run the tests. The pen test will include a vulnerability assessment for an initial sweep of the infrastructure, but the key here is that the pen tester will use the output of the Vulnerability Assessment and combine it with their experience and skillset to penetrate further into your network.

They will perform research and reconnaissance, threat analysis and exploitation of the vulnerabilities identified to reveal the full extent of your information security and its weaknesses.

The report from a pen test will provide a detailed list of any threats or vulnerabilities found and the recommended remedial actions. Threats and vulnerabilities are ranked in order of criticality. The report will also contain an executive summary and an attack narrative which will explain the risks in business terms.


12 Common Vulnerabilities Found During Penetration Testing

Download Whitepaper

Given that a pen test is more in-depth and takes more time, they are usually run less frequently than a vulnerability assessment. Most organisations should do them annually unless there has been significant infrastructure change, such as a new VPN or remote access solution deployed, new apps deployed, or it’s required for compliance reasons.

The Vulnerability Assessment compliments the Pen Test, and running them frequently ensures that nothing is missed and that any attack surface is reduced and secured as quickly as possible.


To learn more about how you can protect your organisation, book your free 30-minute security assessment with one of our penetration testers. Get agnostic advice from industry experts on how secure your business. Request here >


Recommended Content

Prevention v Cure: Introduction to Pen Testing

Prevention v Cure: Introduction to Pen Testing

Gavin Wood, CTO at Chess, explains what penetration testing is and why diagnosing vulnerabilities earlier can save you money.


Your Security Questions Answered

Your Security Questions Answered

Dan Cooper, Security Consultant at Chess, answers three key questions every small to medium-sized business asks themselves about protecting their data.

Gavin Wood

Gavin Wood

Gavin Wood is the Chief Technology Officer at Chess. With over 20 years in the IT industry, Gavin has a track record of driving successful business transformation through technology. An avid yachtsman, he's a massive advocate for remote working and anywhere operations. 

Speak to a Product Specialist

You can fill out the form and one of our product specialists will contact you shortly with more information.
To contact our Sales team directly, please call 0344 770 6000 and choose option 4.
Customer Service
For general queries or to report a non-urgent fault, please log a ticket on our customer portal using the email address associated with your account. Logging a ticket is quick and easy to do. Once you have logged your ticket, we will respond within 24 hours or your Service Level Agreement, whichever is quicker.
I agree for my information to be used for marketing communications.
Chess Privacy Notice

By submitting your personal information through this form, you consent to your information being processed in accordance with the Chess group privacy notice.