Vulnerability Assessments are designed to yield a prioritized list of vulnerabilities and are generally for

clients who already understand they are not where they want to be in terms of security. The customer
already knows they have issues and simply need help identifying and prioritizing them.

The more issues identified the better, so naturally a white box approach should be embraced when
possible. The deliverable for the assessment is, most importantly, a prioritized list of discovered
vulnerabilities (and often how to remediate).

Penetration Tests are designed to achieve a specific, attacker-simulated goal and should be requested
by customers who are already at their desired security posture. A typical goal could be to access the
contents of the prized customer database on the internal network, or to modify a record in an HR
system.

The deliverable for a penetration test is a report of how security was breached in order to reach the
agreed-upon goal (and often how to remediate).

Vulnerability Assessment

Customer Maturity Level: Low to Medium. Usually requested by customers who already know
they have issues, and need help getting started.

Goal: Attain a prioritized list of vulnerabilities in the environment so that remediation can occur.

Focus: Breadth over depth.

Penetration Test

Customer Maturity Level: High. The client believes their defenses to be strong, and wants to
test that assertion.

Goal: Determine whether a mature security posture can withstand an intrusion attempt from an
advanced attacker with a specific goal.

Focus: Depth over breadth.