Gavin Wood is the Chief Technology Officer at Chess. With over 20 years in the IT industry, Gavin has a track record of driving successful business transformation through technology. An avid yachtsman, he's a massive advocate for remote working and anywhere operations.
Gavin Wood, CTO at Chess, explains the difference between Vulnerability Assessment and Penetration Testing and their applications.
- Jump to What is a Vulnerability Assessment? >
- Jump to What is the difference between a Vulnerability Assessment and a Penetration Test? >
Vulnerability Assessments (VAs) are usually seen as a lesser service when compared to a Penetration Test (Pen Test). However, they are both an essential part of your information security program and should be part of your regular testing schedule.
What is a Vulnerability Assessment?
A Vulnerability Assessment is an automated activity that actively scans for possible security vulnerabilities within an internal or external infrastructure (including all systems, network devices and communication equipment connected to that network) that cybercriminals could exploit.
It is conducted against infrastructure IP addresses and produces a report to identify any issues found and allow you to resolve them.
Examples of issues could be:
- Unpatched software
- Misconfigured or open ports
- Default credentials being used, e.g. admin/admin
- Best practice configuration such as insecure communication protocols, e.g. older TLS versions
A Vulnerability Assessment is what you would start with if you have never had any security testing services. It’s the first step on your security testing journey and can be used to identify the immediate risks to your business, allowing you to take action to remediate quickly.
However, Vulnerability Assessments are also an essential part of ongoing testing. Therefore, they should be conducted regularly - once a month or quarter, depending on your rate of change and risk appetite. Running regular Vulnerability Assessments ensures that any changes such as a new server installation, a piece of software identified as out of date or a misconfiguration like a port being left open are caught as quickly as possible.
According to research from Sophos, a device connected to the internet was attacked within 52 seconds of going live. These attacks will start with essentially an automated malicious vulnerability scan, which are constantly run against internet IP addresses looking for known weaknesses in any infrastructure detected. Therefore, you must be running your own to ensure no gaps are available to be exploited.
So what is the difference between a Vulnerability Assessment and a Penetration Test?
A pen test goes further and deeper. An expert pen tester (sometimes known as ethical or white-hat hackers) will run the tests. The pen test will include a vulnerability assessment for an initial sweep of the infrastructure, but the key here is that the pen tester will use the output of the Vulnerability Assessment and combine it with their experience and skillset to penetrate further into your network.
They will perform research and reconnaissance, threat analysis and exploitation of the vulnerabilities identified to reveal the full extent of your information security and its weaknesses.
The report from a pen test will provide a detailed list of any threats or vulnerabilities found and the recommended remedial actions. Threats and vulnerabilities are ranked in order of criticality. The report will also contain an executive summary and an attack narrative which will explain the risks in business terms.
12 Common Vulnerabilities Found During Penetration Testing
Given that a pen test is more in-depth and takes more time, they are usually run less frequently than a vulnerability assessment. Most organisations should do them annually unless there has been significant infrastructure change, such as a new VPN or remote access solution deployed, new apps deployed, or it’s required for compliance reasons.
The Vulnerability Assessment compliments the Pen Test, and running them frequently ensures that nothing is missed and that any attack surface is reduced and secured as quickly as possible.
To learn more about how you can protect your organisation, book your free 30-minute security assessment with one of our penetration testers. Get agnostic advice from industry experts on how secure your business. Request here >
Recommended Content

Prevention v Cure: Introduction to Pen Testing
Gavin Wood, CTO at Chess, explains what penetration testing is and why diagnosing vulnerabilities earlier can save you money.

Your Security Questions Answered
Dan Cooper, Security Consultant at Chess, answers three key questions every small to medium-sized business asks themselves about protecting their data.