Red Teaming

9 min read

Vulnerability assessments vs. penetration testing

Penetration tests are a detailed hands-on exploration of an organization’s weaknesses while vulnerability assessments quickly identify risks without going deeper. Here’s why you need both.

Dimitris avatar

Feb 13

This post is based on the Hack The Box (HTB) Academy module (or course) on Vulnerability Assessments. The module demystifies vulnerability assessments and provides hands-on exercises to practice each of the tactics and techniques we cover (including vulnerability scanning tools such as Nessus). 

You can learn more by browsing the catalog of free or advanced cybersecurity courses on the HTB Academy! 

What is a vulnerability assessment? 

A vulnerability assessment uses tools to detect, categorize, and prioritize vulnerabilities that currently exist within a system. Usually, a vulnerability scanner, such as Nessus, scans systems and identifies common vulnerabilities and exposures.

A vulnerability assessment aims to understand, identify, and categorize the risk of the issues present in an environment without exploiting them to gain further access.

💡Important note: there is little to no manual exploitation during a vulnerability assessment.

Why might an organization need a vulnerability assessment?

Just as security analysts might use a vulnerability scanner to find weaknesses in an organization’s systems, so can cybercriminals. So, a vulnerability assessment is crucial to quickly identify common vulnerabilities and bolster systems against cyber attacks. 

Vulnerability assessments are also conducted to comply with security regulations that are relevant to certain industries. 

Vulnerability assessment key terms

There are some key terms all IT or infosec professionals should know when it comes to both vulnerability assessments and penetrating testing:

  • Vulnerability: a weakness or bug in an organization's environment, including applications, networks, and infrastructure, that opens up the possibility of threats from external actors. Vulnerabilities can be registered through MITRE's Common Vulnerability Exposure database and receive a Common Vulnerability Scoring System (CVSS) score to determine severity. 

  • Threat: some vulnerabilities raise more threat concerns over others due to the probability of the vulnerability being exploited.

  • Exploit: any code or resources that can be used to take advantage of an asset's weakness.

  • Risk: the possibility of assets or data being harmed or destroyed by threat actors.

Vulnerabilities, threats, and exploits all play into the risk of a system’s weakness. These are key things that a vulnerability assessment will identify and aim to remediate with future actions.

Vulnerability assessments likelihood impact

Vulnerability assessment vs. penetration test

So, now that we understand what a vulnerability assessment is, how does it differ from a penetration test? First, let’s dive into what a penetration test is

A penetration test (or pentest) is an organized, targeted, and authorized attack that tests IT infrastructure, applications, physical security, company personnel, and their defenders. This test is carried out by penetration testers who mirror the methods and techniques weaponized by real cyber attackers.

penetration test vs vulnerability assessment

What’s the purpose of a vulnerability assessment vs. a penetration test?

A vulnerability assessment aims to assess the overall security posture and identify potential vulnerabilities that the attackers can exploit. Whereas, a penetration test's goal is to evaluate a system's resilience against attacks.

For example, in an initial vulnerability assessment, you might discover that vulnerable plugins could lead to an SQL injection or an XSS vulnerability. So, these would have been patched. 

However, hackers have many other ways to exploit a system's vulnerabilities that an initial automated scan might not catch. Vulnerability assessments provide a quick report of an organization’s security posture, while penetration tests go a few layers deeper.

Penetration testers manually exploit systems and networks to uncover vulnerabilities accurately and assess how cybercriminals might use them to their advantage. They can then provide a detailed report on how they exploit vulnerabilities so that an organization can fix them. This tests the actual resilience of an organization against real-world attacks.

When would you carry out a vulnerability assessment vs. a pentest?

Organizations with a proactive cybersecurity approach will periodically conduct vulnerability assessments to identify new threats and ensure security. 

Penetration tests aren’t as regular and are usually carried out before or after large developmental updates to a system or network. 

Vulnerability assessments also take only a few minutes or hours to complete, while a penetration test can take weeks due to the different stages.

What’s the different methodology and scope between vulnerability assessments and penetration tests?

The scope of a vulnerability assessment is much broader and less defined than a penetration test. A vulnerability scanner will scan and analyze the entire target environment to identify all possible vulnerabilities. However, it’s important to note that this can often lead to some false positives, which is why the human element of a penetration test can confirm or deny these. 

A penetration test aims to uncover and exploit the more difficult vulnerabilities. It’s a much more targeted approach that tests specific systems, applications, or networks against real-world attacks.

vulnerability assessments vs penetration test method

Practice vulnerability assessments on Hack The Box Academy

You have been contracted by the company Inlanefreight to perform an internal vulnerability assessment against one of their servers. They have asked for a cursory assessment to be performed to identify any significant vulnerabilities, as they do not have the budget for a full-scale penetration test this year.

The results of this vulnerability assessment may enable the CISO to push for additional funding from the Board of Directors to perform more in-depth security testing.

This scan will use Nessus, a vulnerability scanner developed by Tenable.

Take the HTB Academy Vulnerability Assessment module today, and you’ll:

  • Run your own vulnerability assessment on realistic corporate infrastructure using Nessus with in-browser skills assessments.

  • Learn how to interpret the results you uncover.

  • Record your findings in a report that we’ve structured for you.

Whether your team is just starting or looking to challenge themselves with more advanced content, the CTF Marketplace has you covered.

Other types of security assessments

While vulnerability assessments and penetration tests are some of the most common security assessments, there are some others that infosec professionals should be aware of:

Security audits

Vulnerability assessments are performed by choice, but security audits are mandated by government agencies or industry associations to ensure that an organization is compliant with specific security regulations. This means that organizations typically can’t choose when a security audit is carried out. 

All retailers, restaurants, and service providers who accept major credit cards (Visa, MasterCard, AMEX, etc.) must comply with the PCI-DSS "Payment Card Industry Data Security Standard". 

A company that accepts credit and debit card payments may be audited for PCI DSS compliance, and noncompliance could result in fines and not being allowed to accept those payment methods anymore.

Bug bounties

A bug bounty program invites members of the general public to find security vulnerabilities in their applications. These bounty hunters can be paid for discovering these vulnerabilities and reporting their findings, sometimes up to thousands of dollars!

Larger organizations with a strong security posture tend to suit bug bounty programs best as they have the capabilities to analyze the reports.

Want to become a bug bounty hunter? Then take our highly hands-on certification that assesses your bug bounty hunting and web application pentesting skills.


Red team assessment

Companies with their very own red teams can conduct their own internal assessments, performing more targeted penetration tests with an insider's knowledge of its network.

An organization may run multiple red team campaigns based on new cyber exploits discovered through the actions of advanced persistent threat groups (APTs). 

Purple team assessment

A purple team is a combination of red and blue (offensive and defensive) techniques, which offers a unique perspective of both sides of the coin. 

So, a purple team assessment is much like a red team assessment but with continuous input from blue team members such as SOC analysts, engineers, or a CSIRT (computer security incident response team).

The blue team may design some of the steps and both teams can learn how to defend and attack vulnerabilities. 

Want to challenge your purple team capabilities? Our Sherlocks Labs facilitate purple team upskilling with defensive and offensive versions of Machines for the full 360 learning experience:

Sherlocks lab

Offensive machine


There’s been a potential security breach within Forela's internal network. It’s your job to investigate, putting your digital forensics and network security skills to the test.


Exploit an unauthenticated arbitrary file read vulnerability, gaining full administrative access to the machine.


A critical alert has been raised over a newly implemented Apache Superset setup. You need to investigate and confirm the presence of any compromise.


Test your web application skills as you attempt to exploit a vulnerability in Apache Superset.


You have been tasked with the analysis of artifacts from a potentially compromised GitLab server.


Explore how you can exploit and gain a foothold in a GitLab server.

Security assessments and compliance

cybersecurity assessments compliance

Before conducting any penetration tests, you must ensure that the owner of a network has a signed legal contract with pentesters outlining what they're allowed to do and what they're not allowed to do.

Both penetration tests and vulnerability assessments should comply with specific standards to be accredited and accepted by governments and legal authorities. This ensures that the tests are carried out fully and efficiently. 

Payment Card Industry Data Security Standard (PCI DSS)

Organizations that store, process, or transmit cardholder data must implement PCI DSS guidelines. These guidelines include internal and external scanning of assets. For example, any credit card data that is being processed or transmitted must be done in a Cardholder Data Environment (CDE).

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA does not necessarily require vulnerability scans or assessments; however, a risk assessment and vulnerability identification are required to maintain HIPAA accreditation.

Federal Information Security Management Act (FISMA)

This is a set of standards and guidelines used to safeguard government operations and information. The act requires an organization to provide documentation and proof of a vulnerability management program to maintain a system's confidentiality.

ISO 27001

ISO 27001 is a standard used worldwide to manage information security. ISO 27001 requires organizations to perform quarterly external and internal scans.

Learn more about vulnerability assessments and penetration testing with HTB!

For a proactive comprehensive cybersecurity strategy, both vulnerability assessments and penetration tests have their place. 

Regular vulnerability assessments are able to alert teams of potential vulnerabilities and threats. While penetration tests can truly test an organization’s security posture and defenses against these threats. 

These are crucial areas for information security professionals to excel in. This will not only ensure you can do your job but also set you apart from the competition. 

Explore the following HTB content for more information:

🖥️ Vulnerability Assessments module

🖥️Network Enumeration with Nmap

🖥️ Attacking Enterprise Networks

🖥️ Injection Attacks

📜Penetration Testing Certification

📜HTB Certified Bug Bounty Hunter (HTB CBBH)

📖How to become a penetration tester in 2023

📖What is penetration testing?


Author bio: Dimitrios Bougioukas (Dimitris), Senior Director of IT Security Training Services, Hack The Box

Dimitrios has extensive experience in upskilling the IT security teams of Fortune 100/500 tech companies and government organizations. He enjoys analyzing the threat landscape as well as interpreting market and data analytics to assist Hack The Box in devising its training strategy and roadmaps, from go-to-market all the way to the syllabus level.

Prior to Hack The Box, Dimitrios directed the development of training and certifications through eLearnSecurity/INE and was behind certifications like eCPTX, eWPT, and eCIR.

You can connect with him on LinkedIn here.


Hack The Blog

The latest news and updates, direct from Hack The Box