Vulnerability Management and Penetration Testing: Which Do I Need?

Sam Reed

"Do I (or does my client) need a penetration test or a vulnerability management solution?"

This is one of the most common questions we get asked, in one form or another.

And it's a question that we're uniquely qualified to answer. Our team has performed thousand of penetration tests and worked hands-on with countless vulnerability management programs.

We leveraged this experience to build our own identity-based vulnerability management solution to address the gaps we saw in traditional vulnerability management.

To us, the distinction between the two is clear. This will be a quick read.

Defining Vulnerability Management and Penetration Testing

First, it's important to note that "penetration testing" is not a technical term. Rather, it's a broad category of services. There are countless ways to hack an environment, just like there are many types of penetration tests.

For the sake of this article, we'll use a broad and encompassing definition.

Vulnerability management

Vulnerability management is an ongoing process of identifying, assessing, prioritizing, and remediating vulnerabilities in an IT environment.

And repeating that process on a continuous basis - hopefully daily.

Penetration testing

A penetration test is a point-in-time evaluation of an organization's security controls. 

These evaluations are performed by offensive security professionals, or ethical hackers, who carry out a simulated attack based on a specific objective.

Comparing Vulnerability Management and Penetration Testing

Both practices aim to find security vulnerabilities, but they use different methods to do so.

The above definitions should begin to highlight some of the distinctions. Namely, the cadence, ability to automate, and intended goals.

  • Vulnerability management is continuous; penetration testing is periodic
  • Vulnerability management uses automated scans; penetration testing is manual
  • Vulnerability management works to lessen risk. Penetration testing confirms security measures against actual attacks.

To us, the clear distinction lies in the manual component of a penetration test. 

During a penetration test, the "attacker" moves through a system using methods like privilege escalation and lateral movement to achieve their intended objective. They find information and use it to find even more information, leading to a specific outcome. In addition to computer systems, it tests organizational, security, and people systems.

It's an exercise of creativity, and by its nature cannot be automated.

The Takeaway

It's not uncommon for a client to ask us for one, when they need the other.

With penetration tests often starting in the tens of thousands of dollars, the stakes to get it right are high.

But one is not inherently better than the other. For some clients a comprehensive simulated real-world attack is better, or possibly required. For others, an automated and continuous vulnerability management program better solves their problem.

The point being, the "right" approach is entirely dependent on the individual organization and their goals.

Never miss an article

Thank you! Your submission has been received!
There's been an error

Don't just take our word for it.

"Shield will enable us to increase our vulnerability management services 4-fold over the next 12 months. It’s the only solution that combines the security features we require with the automations and user-friendliness to scale the business at our target rate."

Vince Mazza

Chief Executive Officer, Guard Street Cybersecurity

"Shield has dramatically improved our ability to report to non-technical stakeholders. We can easily show our clients their environment in real time. We can point out where and how an attack could happen. And we can instruct them on how to prevent an attack. All automatically produced within the Shield platform."

Doug Miller

Chief Executive Officer, Brightworks

"We were looking for a vulnerability management solution that was both security-focused and intuitive. Shield checks both boxes. The support and attention to detail from the Shield team is a huge added bonus."

Nathan Welch

IT Manager, Intrasect

"Shield Cyber allows you to see your network as an attacker would see it. You can gain visibility into the connected vulnerabilities across all your assets, and understand how they can be exploited by attackers."

Ben Card

Chief Information Security Officer, Webcheck

Read the full review →

Starting with Shield is simple, fast, and free.

Book a demo