Vulnerability Assessment or Penetration Test – Which one should you do first?

Vulnerability Assessment or Penetration Test – Which one should you do first?


Many organizations are still confused about what security assessments are, which ones do they need, and the kind of information that these assessments provide regarding their own security posture. In our LANTalks conversation “Breaking Down Security Assessments” we connected with James Roberts, Cybersecurity Analyst at Cyberstone Security, and discussed everything there is to know about security assessments.

According to James, “if you are on the internet, you need a vulnerability assessment!”. Why? Because within the last 10 years, the security landscape has changed dramatically. Cyberattacks are no longer meant to take a stand or make a point, there are cybercrime organizations that dedicate their time and energy to find their next victim to make a quick profit. Cyber attackers are now more sophisticated than ever and can fully jeopardize a company’s reputation which can lead to going out of business. You no longer must be a Fortune 500 company; you can be a small CPA office in a small town with 50 employees or less and can be the target because “if it’s a quick buck they’re going go for it”.

Why do a vulnerability assessment?

Think of your business as your home. With a vulnerability assessment, you can identify your weakest point and see what “open windows”, or entry ways will these attackers exploit if they find them before you do. Once you know where your organization stands you can now act upon it and ensure you “close the windows” and deny easy access to threat actors. A vulnerability assessment will keep you one step ahead from threat actors and provide a roadmap to what you need to do to secure and protect your assets, your users, and your company.

Vulnerability Assessment vs. Penetration Test

Before you begin any assessment or test, as a company you must first identify what are your most valuable assets, critical targets and know exactly what you need to protect. You must also figure out what current cyber policies and procedures you have in place if any.

Once all that has been identified you can now move forward with a vulnerability assessment to discover any security gaps that are currently lingering in your environment such as weaknesses in your operating systems, patching errors and identifying what specific areas in your environment can possibly be exploited. After that, you can move towards remediation and fix these newly uncovered vulnerabilities.

Once those vulnerability gaps have been remediated, patched, and secured you can now move to the pen testing phase. This is where you will exploit the first layer of your vulnerabilities and test to see what other security controls need to be in place. For example, a penetration test can identify an issue with network segmentation, which is more technical and can only be caught through such a test.

It’s recommended to begin with a vulnerability assessment first to take inventory of all valuable assets and harden your environment by “locking the windows and doors” to your network and blocking access to outsiders. The pen test will then confirm whether those windows and doors are sealed tight or if threat actor will find other mischievous ways to enter your company’s network that can cause havoc.

At LANAIR Technology Group we’ve had clients request a penetration test without first taking inventory of the assets or taking note of what their current cyber policies and procedures are. It’s impossible to create a solution or protect an environment without first knowing what exactly is at risk. That’s why we recommend starting with a vulnerability assessment first before even considering a penetration test. You’d be surprised how many companies’ lose sight of their environment especially with all the complexities of technology changes, dealing with multiple vendors, adding, and removing users, and now adding a remote workforce to the mix. Technology is ever-changing and cyber criminals are getting more sophisticated with their targeting techniques. Stay one step ahead and request a vulnerability assessment email or fill our contact form in our website and make sure you’re on track to avoid becoming the next cybersecurity victim.

Improve your overall cybersecurity posture by empowering your workforce to recognize and prevent social engineering attacks. Our FREE eBook will teach you how to design and implement a cybersecurity awareness training program that works.LEARN MORE HERE