What’s the Difference Between a Vulnerability Scan and a PEN Test?
We find that often customers become confused between a Vulnerability Scan and a Penetration (PEN) test. We’ve created this table below to show the differences.
Basically, a vulnerability scan is an automated, high-level test that looks for and reports potential vulnerabilities.
A penetration test is a detailed hands-on examination by an actual person that tries to detect and exploit weaknesses in your system.
These tests are good steps to maintain Cybersecurity compliance
Penetration “PEN” Testing
|Performed by:||Employee or Consultant||3rd Party Ethical Hacker|
|Performed with:||Script||Compilation of specific code|
|Tools Used:||Qualys, Tenable, etc.||Nessus, Metasploit, Variety of tools|
|Duration:||4 hours||1-20 days|
|Period:||Monthly or less||Yearly or more for incident response|
|Purpose:||Review of weaknesses||Analysis of comprisable systems|
|Medical Analogy:||Single X-ray||Series of MRIs|
|Motivation:||Good Cyber Hygiene||Due Diligence|
|Results:||List of open ports, missing patches||Description of attempts blocked or vulnerabilities|
|Looking to Identify:||SW vulnerabilities||Insecure Business practices|
|Examples of Findings:||Unpatched SW, obscure protocols…||Credential violations, clear text transmissions|
|Remediation:||Patching, Upgrading, …||Hardening, Re-design, vendor swap|
|Variations:||Scan||Black-Box: Zero knowledge of Network|
|Assessment||Gray Box: Partial knowledge of Network|
|White Box: Full Knowledge of Network|