What is Vulnerability Scanning and Penetration Testing?

4th December 2018

You may have come across these services before, or heard them being mentioned, but its surprising how many people get them confused, or don’t realise they are in fact quite different in their own rights.


Vulnerability Scanning

On the technical side of things, vulnerability scanning identifies weaknesses in network devices. This can include routers, firewalls, servers, switches and software applications. It will look for both ‘potential’ flaws/weaknesses and also ‘known’ ones, where it would match it against an existing database list. This is where vulnerability scanning stops, after it has identified weak areas, it will highlight them in a report, however will not go any further and physically exploit them.

This is an automated process performed by software alone and involves no human interaction, until the report has been generated.


Penetration Testing

Although this is different to vulnerability scanning, it essentially serves a similar purpose, but doesn’t use any automation whatsoever. It will be human driven, where a specific set of elements (scope) or departments are focussed on and a number of penetrating software tools are created, specific to the environment. Essentially they are acting as a hacker and mimicking their processes (without causing damage) in order to try and gain entry. Their goal is to try and identify weaknesses in the network of devices and applications and then physically prove it, by penetrating them and getting in – just like a hacker would!

These tests are usually conducted outside of business hours, or when networks and applications are least used, which in turn, limits the impact on business operations.



If all that sounds a bit techy, there’s a simpler way of describing how it works

Imagine a wall that had various holes drilled into it. Some of these holes only went quarter or half of the way through, where as others would be drilled through completely, creating an entry point from the outside to the inside (well for uninvited insects anyway, so let’s call them hackers!).

What the vulnerability scan would do, is highlight which of the holes it believed were going all the way through and which ones were a dead end. In doing so, it will check a list of known ‘drilled holes’ and use that to create its final report, where it tells you which holes need to be investigated and confirmed, then filled with cement in order to close them off.

The Penetration Testing side of things would go a lot further and physically have a human push a very safe and friendly insect through the hole, to check it was in fact a doorway from the outside to the inside and then report whether it was successful. Once clarified, they will mix the cement themselves and fill them for you.



At the very least you should be getting a vulnerability scan done. This could save you thousands in both revenue and headache hours!

At Southern IT, we take cyber security very seriously, but appreciate penetration testing won’t be of interest to everyone. If you’re concerned about your cyber security, give us a call and we can talk through the best fit option for you, such as becoming Cyber Essentials certified, performing a vulnerability scan, or staff cyber awareness training etc.