Key Differences Between a Risk Assessment and Penetration Test


We often hear terms such as “Risk Assessment”, “Penetration Testing” and “Vulnerability Scanning” thrown around interchangeably, and many organisations look upon them as being the same thing. However, while they all perform very important functions, they are actually quite different from one another.

What is Vulnerability Scanning?

A vulnerability scan is an automated scan that looks for potential vulnerabilities, or weak points, in a network or environment. Generally, it is a high-level procedure and will detect potential weak points which may be exploited.

Vulnerability scans, due to their automated nature, are usually quite quick. Depending on the size of the network being scanned, it may take as little as 1-2 hours to complete.

The result of a vulnerability scan will be a report which outlines all of the issues found. These will be sorted into High, Medium and Low Severity issues. A good vulnerability scan report will detail where each issue was found, why it is an issue, and recommended actions to remedy the issue.

The “recommended actions” part of a vulnerability scan is especially important; it allows organisations to focus their efforts on the areas in need of immediate attention.

Why and When Should I Employ Vulnerability Scanning?

Vulnerability scanning is an essential tool in any organisation’s cyber defence. It is regarded as basic housekeeping to ensure good cyber-hygiene. As such, it should be employed regularly. Organisations who need to be PCI DSS compliant are required to produce a “clean” vulnerability scan once per quarter (or after any significant change to their network). A good rule of thumb is to incorporate vulnerability scanning into your monthly cyber housekeeping. This ensures regular and consistent management of your cybersecurity defences.

What is Penetration Testing?

While vulnerability scanning scans your network for known and potential vulnerabilities, penetration testing goes one step further; it takes these vulnerabilities and actively tries to exploit them. When you run a penetration test, you are essentially saying, “I have confidence in my cybersecurity defences, and I want you to put them to the test”.

While vulnerability scans are, generally, automated, a penetration test requires a hands-on approach. It relies on the expertise of the persons carrying out the test. As such, penetration testing takes more time and effort.

There are 2 types of penetration tests:

1.         Internal.

2.        External.


Internal penetration tests assume that the attacker has access to the internal network. Many organisations spend a great deal of time and money strengthening the wall around their network, but neglect to ensure their internal defences are just as strong. An internal penetration test can reveal how secure your organisation truly is as well as how it would fare in the event of an attack from a rogue employee, a successful phishing email, etc.


Conversely, an external penetration test assumes no access to the internal network and is designed to test your outer defences i.e. Can I break into your network from outside your network?

Why and When Should I Employ Penetration Testing?

Penetration tests are an excellent way to assess how secure your network is. They are especially effective at uncovering issues such as misconfigurations or poor end-user behaviours. An organisation can have excellent security tools in place, but if they are misconfigured they may be useless. This can be even more dangerous than having no security tools in place at all; if you have no tools in place, you understand you have a weakness, however, if you have misconfigured tools in place, you believe you are secure when, in fact, you are not. In short, performing a penetration test is an excellent way to confirm the effectiveness of your organisation’s end-to-end cybersecurity.

To get maximum value from a penetration test, an organisation should be confident that its security is in reasonably good shape.

Organisations should regularly (at least once a year) run penetration tests. The more tests you run, the more fine-tuned and robust your cyber defences will be. Larger organisations with more valuable data should run comprehensive penetration tests on a more frequent basis.

What is a Risk Assessment?

security risk assessment identifies and assesses the key security controls in place in your organisation. It looks at your overall cybersecurity risk profile and gives you a more holistic view on weaknesses and areas for improvement.

For example, while a risk assessment may sometimes include a vulnerability scan and penetration testing (or elements of these), it will also look at other areas of importance such as business continuity, access control, policies and procedures, data security, etc.

Risk assessments should, therefore, form a key part of an organisation’s risk management process.

Why and When Should I Employ Risk Assessments?

Risk assessments are an ideal way to get a view of your organisation’s security on a more holistic level. While vulnerability scans or penetration tests may tell you about weaknesses in your network defences, they will not indicate if your policies and procedures are inadequate, if your business continuity plan is insufficient or if your access control is poor.

Larger organisations should carry out their own internal risk assessments on an ongoing basis. However, small and medium organisations may not have the internal capacity to do this. In these organisations, risk assessments should be run on a regular (at least once a year) basis. Obviously, for organisations holding more sensitive information, more frequent assessments would be beneficial.


Vulnerability scanning, penetration testing and risk assessments are all tools that can be used to ensure your organisation is as secure as possible. Like all tools, some are more appropriate in some situations than others, but all are effective in their own way. Knowing how and when to use each is key.

At Stryve, our experts are happy to talk through your organisation’s requirements to see which solution best meets your needs.

About Stryve

Stryve provides cybersecurity advisory services and solutions which offer access to cybersecurity specialists and the latest cutting edge technologies. At the core of our mission is a desire to bring Fortune 500 levels of security and expertise at a price point that is affordable for small and medium businesses. We pride ourselves in offering a customer-centric service and strive to deliver excellent innovative solutions.

Do you have 5 minutes for a quick chat?