Vulnerability Assessment vs. Penetration Testing

Knowing the difference between vulnerability assessment and penetration testing is critical when hiring an IT Security Management Firm to perform a security assessment. In this blog, we explore the differences between these two processes, as well as how they can be combined to achieve a more complete vulnerability analysis for protecting your organization from potential risks.

Vulnerability Assessment

Vulnerability assessment covers a broad scope of systems. The major value comes with manual testing by a security expert. This is a great starting point for companies that are looking to begin their security programs. Organizations with more mature programs in place are most likely already performing vulnerability assessments as part of their recurring vulnerability management program.

This approach typically leverages both internal and external scanning, as well as expert analysis and validation to cover all of an environment's devices and endpoints. Once security vulnerabilities have been identified, they are aggregated into a list for a security expert to evaluate and prioritize the risks. This list can then be used by IT security engineers to manage vulnerabilities and remediation.

Penetration Test

In contrast, a penetration test (pen test for short) requires much more experience and more manual planning, coordination and execution. Pen testers can leverage the list of vulnerabilities found during a vulnerability assessment as a starting point as well as find vulnerabilities which cannot be picked up by an automated tool. They leverage their intuition and experience to look for gaps and intangibles.

A pen testing engagement can also vary in scope. It can have a goal of safety, proving the exploits of a particular system, or it could involve a wide scale approach to gain access to any system the pen tester can find. After the scope is set and a plan is clearly communicated, the pen tester begins with the end in mind and focus their efforts.

The ultimate goal of a pen test is to identify the true impact of a vulnerability so that accurate risk can be assigned and the vulnerabilities can be prioritized.


Both vulnerability assessments and penetration testing are required under PCI and both are encouraged under HIPAA.


The PCI Data Security Standard (DSS) mandates that internal and external vulnerability assessments must be performed quarterly and penetration testing must be performed at least annually (PCI DSS requirement 11.2 and 11.3/11.4 respectively). As of version 3.0, PCI DSS requires a more rigorous, specific and mature pen testing methodology. Here is a related excerpt from the standard: "Implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective"


Vulnerability assessments are encouraged as part of HIPAA compliance and as part of a healthcare organization's risk management program. A HIPAA risk assessment must include a comprehensive technical assessment of the internal and external networks whether wired, wireless, or cloud-hosted.

Determining the likelihood that a threat will exploit a vulnerability is the basis of a HIPAA risk assessment. The list of technical vulnerabilities provides a basis for the analysis.

The use of penetration testing is encouraged under the HIPAA Security Rule during the Administrative Safeguards' Evaluation phase. According to section 4.8 of NIST Special Publication 800-66 Revision 1 healthcare organizations must "Conduct penetration testing…if reasonable and appropriate." Leveraging penetration makes a lot of sense to evaluate how well your ePHI (Electronic Protected Health Information) is protected from hackers.