A vulnerability assessment identifies if an organisation’s systems/applications have potential known security vulnerabilities. It involves one or more automated vulnerability scans, followed by a prioritised list of the vulnerabilities found, the severity and generic remediation advice. Scanning software is limited to identifying only vulnerabilities it has signatures for (such as out-of-date software updates, incomplete deployment of security software etc.). It cannot consider business logic or find unknown vulnerabilities. Scans include networks, web applications, source code and ASV for PCI DSS.
A penetration test has a much greater potential breadth of scope and depth than a vulnerability assessment. It should only be conducted by certified cybersecurity professionals who use their experience and technical abilities to mimic multiple types of attacks used by a cybercriminal, targeting both known and unknown vulnerabilities. Unlike a vulnerability scan, where identified vulnerabilities are not exploited, in a penetration test, the tester will modify their approach to provide proof of exposure through exploitation to gain access to the security systems or stored sensitive information that a malicious attack could compromise.