Vulnerability Assessment vs Penetration Testing: Why the Difference Actually Matters

Phase 2 of my VAPT learning series — after Reconnaissance & Information Gathering, it's time to talk about the two terms everyone in security mixes up.

Search term used: "vulnerability assessment scan report screen" Place: Right under the title/subtitle, before any body text. This is your Medium cover/hero image.

If you've worked in or around cybersecurity, you've heard "VAPT" thrown around as one word, almost like it's a single service. But Vulnerability Assessment (VA) and Penetration Testing (PT) are two very different disciplines, with different goals, different depth, different deliverables, and very different price tags. Confusing the two is one of the most common (and costly) misunderstandings clients have when they ask for security testing.

Let's break it down properly.

What Vulnerability Assessment Actually Is

A Vulnerability Assessment is a breadth-first exercise. The goal is simple: identify, classify, and report as many known weaknesses as possible across a defined set of systems. It's automated, repeatable, and designed to be run regularly — weekly, monthly, or after every major change.

A VA tells you "this system has 40 known vulnerabilities, here's how severe each one is." It does not tell you whether those vulnerabilities can actually be chained together to compromise the network, or whether a human attacker could realistically exploit them in your environment.

Tools like Nessus and OpenVAS dominate this space. Both work by comparing software versions, configurations, and exposed services against a constantly updated database of known CVEs (Common Vulnerabilities and Exposures), then flag matches with a severity score.

What Penetration Testing Actually Is

Search term used: "penetration tester typing commands terminal screen" Place: Right under this "What Penetration Testing Actually Is" heading, before the paragraph text. Visually marks the transition from VA to PT.

Penetration Testing is depth-first. Instead of scanning broadly, a pentester picks a target, thinks like an attacker, and tries to actually exploit weaknesses to achieve a defined objective — domain admin, access to sensitive data, lateral movement across segments, whatever the engagement scope defines.

Where a VA stops at "this is vulnerable," a PT continues with "and here's exactly how I used that vulnerability to get further into your environment, and here's the blast radius." It's manual-heavy (even with automation assisting), it requires creativity and adversarial thinking, and it produces a narrative: an attack chain, not just a list.

This is also where frameworks like MITRE ATT&CK come in — pentesters map their actions to real-world adversary tactics and techniques so the client understands not just "what" happened but "how a real threat actor would do this."

Why Clients Confuse the Two — and Why It's a Problem

Search term used: "penetration tester typing commands terminal screen" Place: Right under this "What Penetration Testing Actually Is" heading, before the paragraph text. Visually marks the transition from VA to PT.

Penetration Testing is depth-first. Instead of scanning broadly, a pentester picks a target, thinks like an attacker, and tries to actually exploit weaknesses to achieve a defined objective — domain admin, access to sensitive data, lateral movement across segments, whatever the engagement scope defines.

Where a VA stops at "this is vulnerable," a PT continues with "and here's exactly how I used that vulnerability to get further into your environment, and here's the blast radius." It's manual-heavy (even with automation assisting), it requires creativity and adversarial thinking, and it produces a narrative: an attack chain, not just a list.

This is also where frameworks like MITRE ATT&CK come in — pentesters map their actions to real-world adversary tactics and techniques so the client understands not just "what" happened but "how a real threat actor would do this."

Why Clients Confuse the Two — and Why It's a Problem

This mix-up causes real scoping and reporting issues:

A client who actually needs a PT but books a VA ends up with a long list of CVEs and CVSS scores, but no understanding of real-world exploitability or business impact. They might over-invest in patching low-risk findings while a chainable, high-risk path goes unnoticed because no one tried to chain it.

A client who books a PT but expects VA-style breadth ends up frustrated that the report only covers a handful of deep findings instead of "everything wrong" with their network — because that was never the point of a PT.

Reporting expectations differ too. A VA report is typically a spreadsheet or dashboard: asset, vulnerability, CVSS score, remediation link. A PT report is a story: initial access, privilege escalation, lateral movement, objective achieved, with screenshots and reproduction steps. Mixing up these deliverables during scoping conversations leads to scope creep, missed expectations, and sometimes contractual disputes.

The honest takeaway: VA answers "what's wrong," PT answers "can someone actually break in, and how far would they get."

CVSS Scoring: The Common Language of Severity

The Common Vulnerability Scoring System (CVSS) is what makes VA reports comparable across different scanners and organizations. It produces a score from 0.0 to 10.0 based on metrics like attack vector, attack complexity, privileges required, user interaction, and impact on confidentiality, integrity, and availability.

Generally:

• 0.1–3.9 is Low
• 4.0–6.9 is Medium
• 7.0–8.9 is High
• 9.0–10.0 is Critical

CVSS is useful but it's not the whole picture — it scores a vulnerability in isolation, not in the context of your specific network. A "Medium" CVSS finding sitting on an internet-facing admin panel with no MFA can be a far bigger real-world risk than a "Critical" CVSS finding buried three segments deep behind a firewall nobody can reach. This is exactly why risk prioritisation has to layer business context on top of the raw CVSS number.

Nessus vs OpenVAS: The Two Workhorses of VA

Both tools do the same fundamental job — automated vulnerability scanning against a CVE database — but they differ in ecosystem and depth:

Nessus (Tenable) is the industry standard for commercial VA work. It has an enormous, frequently-updated plugin library, strong compliance scanning support (CIS benchmarks, PCI-DSS checks), and a polished reporting interface. The free Nessus Essentials version caps at a limited number of IPs, which is fine for lab and learning environments but not for enterprise engagements.

OpenVAS (part of Greenbone) is the open-source alternative. It's free, fully self-hostable, and surprisingly comprehensive for a no-cost tool, though its plugin feed updates slightly differently and the interface is less polished than Nessus's. For learning VAPT fundamentals without licensing costs, OpenVAS is a great place to start before moving to commercial tooling.

Credentialed vs Unauthenticated Scans

This distinction matters more than most people realize when scoping a VA engagement.

An unauthenticated scan looks at a target exactly as an outside attacker with no credentials would see it — open ports, exposed banners, unpatched services visible from the network. It's fast and non-intrusive but only sees the surface.

A credentialed scan logs into the target using valid credentials and inspects it from the inside: installed software versions, missing patches, misconfigurations, local privilege issues. This produces dramatically more findings — often several times more — because it can see past the network perimeter into the actual state of the OS and applications.

The trade-off: credentialed scans require credential management (and trust) across every target, and they reveal more about your internal posture, which is exactly why they should be handled carefully and scoped explicitly with the client.

A good rule of thumb: unauthenticated scans approximate "what can an outsider see," credentialed scans approximate "what's actually broken on this machine." Most mature VA programs run both.

Risk Prioritisation: Turning a Long List Into an Action Plan

A VA scan against a mid-sized network can easily produce hundreds or thousands of findings. Reporting all of them with equal weight is not just unhelpful, it's a fast way to get the report ignored. Risk prioritisation is what turns raw output into something a client can actually act on, and it layers several factors on top of CVSS:

• Exploitability in the wild — is there a known public exploit, or is this actively being exploited (check CISA's KEV catalog)?
• Exposure — is the asset internet-facing or only reachable internally?
• Asset criticality — does this system hold sensitive data or sit on a path to a critical system?
• Compensating controls — is there already a WAF, segmentation, or MFA reducing real-world risk?

This is also where frameworks like ASD Essential 8 and broader TPRM (Third-Party Risk Management) thinking come in for organizations trying to prioritize beyond a single scan — mapping findings against control maturity rather than treating every CVE as equally urgent.

Bringing It Together

VA and PT aren't competing services, they're complementary stages of a mature security program. A solid VAPT engagement typically runs broad automated VA scans regularly to catch known issues at scale, then layers periodic, deeper PT engagements to validate whether those issues (and the gaps automated tools miss entirely, like business logic flaws or chained low-severity issues) are actually exploitable in practice.

Getting the scoping conversation right at the start — VA, PT, or both, credentialed or not, what counts as in-scope — saves everyone from mismatched expectations down the line. That clarity is honestly half the battle in any successful security engagement.

Next in this series: Scanning and Enumeration — the technical follow-up to reconnaissance, where we go from "what's out there" to "what's actually running and how do I map it."

This post is part of an ongoing VAPT learning series documenting hands-on offensive and defensive security work. Follow along for the next installment on scanning and enumeration.