Penetration Testing vs. Vulnerability Management: Which Do I Need?

"Do I (or does my client) need a penetration test or a vulnerability management solution?"

This is one of the most common questions we get asked, in one form or another.

And it's a question that we're uniquely qualified to answer. Our team has performed thousand of penetration tests and worked hands-on with countless vulnerability management programs.

We leveraged this experience to build our own identity-based vulnerability management solution to address the gaps we saw in traditional vulnerability management.

To us, the distinction between the two is clear. This will be a quick read.

Defining Vulnerability Management and Penetration Testing

First, it's important to note that "penetration testing" is not a technical term. Rather, it's a broad category of services. There are countless ways to hack an environment, just like there are many types of penetration tests.

For the sake of this article, we'll use a broad and encompassing definition.

Vulnerability management

Vulnerability management is an ongoing process of identifying, assessing, prioritizing, and remediating vulnerabilities in an IT environment.

And repeating that process on a continuous basis - hopefully daily.

Penetration testing

A penetration test is a point-in-time evaluation of an organization's security controls.

These evaluations are performed by offensive security professionals, or ethical hackers, who carry out a simulated attack based on a specific objective.

Comparing Vulnerability Management and Penetration Testing

Both practices aim to find security vulnerabilities, but they use different methods to do so.

The above definitions should begin to highlight some of the distinctions. Namely, the cadence, ability to automate, and intended goals.

• Vulnerability management is continuous; penetration testing is periodic
• Vulnerability management uses automated scans; penetration testing is manual
• Vulnerability management works to lessen risk. Penetration testing confirms security measures against actual attacks.

To us, the clear distinction lies in the manual component of a penetration test.

During a penetration test, the "attacker" moves through a system using methods like privilege escalation and lateral movement to achieve their intended objective. They find information and use it to find even more information, leading to a specific outcome. In addition to computer systems, it tests organizational, security, and people systems.

It's an exercise of creativity, and by its nature cannot be automated.

The Takeaway

It's not uncommon for a client to ask us for one, when they need the other.

With penetration tests often starting in the tens of thousands of dollars, the stakes to get it right are high.

But one is not inherently better than the other. For some clients a comprehensive simulated real-world attack is better, or possibly required. For others, an automated and continuous vulnerability management program better solves their problem.

The point being, the "right" approach is entirely dependent on the individual organization and their goals.