A vulnerability scan is an automated, high-level test that looks for and reports potential vulnerabilities. A penetration test is a detailed hands-on examination by a real person that tries to detect and exploit weaknesses in your system.


Penetration testing enables IT security teams to demonstrate and improve security in networks, applications, the cloud, hosts, and physical locations.


It is important that penetration testing activities do not break the environment. Sometimes pentesters work against live production systems, and sometimes they work against sandbox environments, depending on the goals of the test, the availability of a sandbox environment, and the potential impact on the production system.


Pentesting is performed with or without privileged credentials, depending on the objectives of the test.


Penetration testing was historically performed from the perspective of an unprivileged or anonymous user. Today, the deepest dive into an application may require privileged login access, the actual software code for visual review, and control of the operating system hosting the application.


Although a penetration test is sometimes called a vulnerability assessment, many security vulnerability assessments use only automated scanners and do not simulate a skillful, determined human attacker.


Pentesting also differs from a dynamic scan, which only uses vulnerability scanning technologies and not human intuition. Penetration testing is also different from what many software developers call a security test or security assessment, which is often a secure code review or static application security testing. 


Benefits of penetration testing


The primary benefit of penetration testing is to inform security efforts to proactively harden the environment. Penetration testing reveals an organization’s security weaknesses. Penetration testing rates and prioritizes vulnerabilities by severity of outcome factored against the likelihood of such an attack. If you don’t know where your network weaknesses are, you won’t be able to protect your organization against a breach.