One confusing aspect for a lot of folks working in the cybersecurity industry is the difference between a Penetration Test, a Vulnerability Scan, and a Security Assessment.
Here’s a brief rundown of the three options, and what I recommend and when (in this order):
- Security Assessment – this is a comprehensive look at the organization’s security posture – including policies, procedures, and controls. It is used to identify GAPS and RISKS in the security architecture – not just technical vulnerabilities. There are free tools that can be downloaded and used to run security assessments – Cyber Security Evaluation Tool (CSET) is one such free tool made available by the Cybersecurity and Infrastructure Security Agency (CISA). Microsoft also has the Microsoft Security Assessment Tool 4.0 that is available for no cost. Security Assessments should be conducted often, depending on resource contention. A good target is every 6 months.
- Vulnerability Scan – a good security assessment should lead to a Vulnerability Scan, which is an automated process that scans systems, networks, and applications for known vulnerabilities. Some common tools that are used include Qualys, Tenable, and OpenVAS. Vulnerability scans are useful in identifying software or systems that are unpatched and need to be updated. Vulnerability scans should be performed on a regular basis (at least quarterly).
- Penetration Test (“pen test”) – a pen test is a simulated cyberattack, except it is carried out by an “ethical hacker” on a paid engagement. The tester will examine the system for vulnerabilities and exploit them (without causing the damage that a true bad guy would). Pen Tests are valuable in that they test the effectiveness of an organizations cybersecurity controls. Penetration tests should be conducted whenever a material change occurs to an environment (new hardware/new applications/etc.), but most compliance requirements are for a formal test to be conducted at least once a year. Some penetration tests are done autonomously, using special tools to run the tests without human intervention. Examples of these autonomous testing applications are Horizon3 and vPenTest from Vonahi Security.. Of course, if you’d like to do your own, grab a copy of kali linux and fire up a metasploit session (more on that later).
© 2025, Think Like A Bad Guy. All rights reserved.