After this lesson, you will be able to: Distinguish vulnerability assessments from penetration tests by scope, purpose, and reporting style.
These two terms are often confused, and getting them mixed up in a job interview is a tell that you haven't done the work. This lesson nails the distinction and tells you when to use each.
An assessment scans your environment with tools like Nessus, Qualys, or OpenVAS. Output: a long list of every potential vulnerability with severity scores. Goal: produce inventory and prioritization data. Frequency: continuous (daily/weekly). Cost: low, automated tools do most of the work.
A pen test is a human-driven attack simulation. Output: a story, 'I started here, exploited this, pivoted there, ended up with admin.' Goal: prove what an attacker could actually do. Frequency: annual or quarterly, on critical systems or after major changes. Cost: high, skilled humans for days or weeks.
Bug bounties, pay external researchers per finding (HackerOne, Bugcrowd). Red team exercises, long-running simulations of real adversaries. Purple teaming, red and blue teams working together to improve detection. Each has a place in a mature vulnerability program.
Vulnerability assessment, pen test, or red team?
Sign in and purchase access to unlock this lesson.