Vulnerability Assessment vs. Penetration Testing

With the onset of the Protection of Personal Information Act, organisations are now more actively looking to get cyber insurance or cyber liability cover, and are faced with one, or both, of the following requirements:

  • Vulnerability Assessment
  • Penetration Testing

The question is, what is the difference between the two and why are they necessary?

What is Vulnerability Assessment?

A Vulnerability Assessment or Scan is typically software that is programmed to run tests on your network environment to detect certain vulnerabilities.  These vulnerabilities are usually not actively exploited throughout the test and some results may, therefore, contain false positives.  Each found vulnerability is assigned a certain score expressing its severity.  While vulnerability scans are highly automated, and affordable, they can run from anywhere between a couple for minutes to a a couple of hours, depending on the size of the network.  It typically runs quietly in the background with no effect to end users.

What results can you expect from a Vulnerability Assessment?

Our Vulnerability Assessment provides you with detailed reports based on Network, Exchange and Security with each having a Risk Assessment and Rating Scoring out of 100.  These reports can be used to ascertain where the vulnerabilities are within each segment of your IT environment and it provides remedial steps to not only lower your risk rating, but to also improve the overall stance of your IT environment.

What is Penetration Testing?

Where Vulnerability Assessments are automated and software driven, a Penetration Test is run by a Pentester, a cyber security specialist, who discovers and exploits vulnerabilities, as a real attacker would.

Pentester use the same tools, software and skills as real world hacker would to exploit any vulnerabilities within your organisation, from:

  • Phishing attempts
  • hacking secure servers
  • detecting logic flaws
  • writing reports and recommendations on their finds
  • and much more.

As a penetration test is more of a hands-on approach, the duration of a test can run between 1 day to several weeks and the costs involved in a penetration test can be staggering to say the least.

Vulnerability Assessments provide you with a high level overview of potential vulnerabilities and is software based, organisations can decide to run these on a monthly, quarterly or annual basis.

Penetration tests are typically run on an annual basis depending on the sensitivity of the information held by the organisation and provides valuable insight into existing vulnerabilities within the environment and how to mitigate these risks.

For insurance purposes, some insurers may require both, to ensure that your organisation is aware of the threats and vulnerabilities, and that there are tangible evidence that the organisation is taking the necessary steps to mitigate the risks and reduce the vulnerability exploits.

As a Managed Services Provider, we offer vulnerability assessments that provides the information required for organisation to mitigate the existing risks within their environment.  For penetration testing, we can recommend organisations that can assist you with your requirements.

For more information, get in touch with us on or call us on 012 940 8243.