Introduction

What?

A vulnerability assessment focuses on scanning hosts for vulnerabilities as individual entities. Penetration tests might start by scanning for vulnerabilities just as a regular vulnerability assessment but provide further information on how an attacker can chain vulnerabilities to achieve specific goals.

Why?

To identify security deficiencies and deploy effective security measures to protect the network in a prioritised manner. Most of a vulnerability assessment can be done with automated tools and performed by operators without requiring much technical knowledge.

During pentesting, focus remains on identifying vulnerabilities and establishing measures to protect the network, but it also considers the network as a whole ecosystem and how an attacker could profit from interactions between its components.

How?

• Who?

• Contracts and agreements

• Disclaimers

• Scoping

• Rules of Engagement

• Target considerations

• Scheduling and scope creep

• Cloud pentesting policy restrictions