Although many organizations are taking steps to reduce their cyber risk, it can often be hard to decipher where the holes are in your security posture until there is an actual breach experienced in the environment. Many small to medium sized businesses look to identify, assess, and close these gaps by performing additional assessments to better gauge risk. The two major assessments available are vulnerability scans and penetration tests.

Vulnerability scanning is the process of identifying known vulnerabilities that exist in defined systems connected to a network via an IP (Internet Protocol) address. Vulnerability scans are conducted using a device and/or software to look at a network and compare the state of the network, and more specifically all the hosts/systems on the network, to a library of known vulnerabilities. The outcome of the vulnerability scan should be a list of known vulnerabilities, some indication as to the severity or nature of the vulnerability, and actions required to remediate or close the vulnerability.

Penetration testing is the process of attempting to identify and exploit vulnerabilities in processes, systems, software, and people. A penetration test should be conducted by an independent party with no control of the systems to be tested, no influence over the design of the systems to be tested, and no stake in the outcome of the penetration test. The penetration testing firm will seek to gain access to a defined system or set of data. The purpose of a penetration test is to identify vulnerabilities and how exploitation of vulnerabilities, often in combination, might result in a breach of systems or data.

While both options are beneficial to identifying the weaknesses in a business’s cyber security, deciding which one is best for your company can be complicated. Read this article on the difference between vulnerability scanning and penetration testing and learn why each is advantageous, and which one is best for your company.