Why do you need a penetration test if you already conduct vulnerability scans?

A vulnerability scan is a series of automatic tests that have been programmed to evaluate your network and applications for vulnerabilities.  An automatic report is then produced, giving an overview of the results of the scan. Automated vulnerability scans are able to find “already known” vulnerabilities, but do not produce the logical thought process and critical reasoning needed for uncovering serious security flaws.  

Vulnerability scans only provide a very superficial indication of potential vulnerabilities and usually don’t meet international best practice recommendations for the assessment of your infrastructure, network and applications.

In the first phase of a cyber attack an attacker will scan for targets that have a potential vulnerability which they think they can exploit. If an organisation can quickly identify how these vulnerabilities appear to attackers, they can reduce the trail left by these potential vulnerabilities and reduce the likelihood of attack.

Although commercial, automated products exist that can provide credible testing parameters and results, nothing replaces a hands-on, manual test conducted by a qualified, experienced penetration tester.

Penetration testers are highly skilled professionals who have been trained to think and interpret the findings of such tests.  They are adept at being able to analyse, monitor, review and make judgement calls about specific issues in order to uncover the right security flaws that could pose significant threats if left undetected.

Consultant-driven tests, which combine a mixture of automated scans with a battery of deeper manual tests, are more effective in identifying attack surfaces and defence postures in order to determine the potential vulnerabilities that exist.

Due to the professionalism of cyber criminals, new vulnerabilities creep up overnight in databases that may previously have been considered secure. That’s why companies have to employ continuous monitoring in order to ensure their defences offer constant protection.

IT Governance’s consultant-driven Level 1 Infrastructure Penetration Test and Level 1 Web Application Penetration Test combine a range of advanced manual tests by our experienced and expert in-house penetration testers with a number of automated vulnerability scans, using multiple tools and techniques, to identify potential vulnerabilities in your infrastructure, systems and websites.  Get the combined test here.