Cyber Resilience

Continuous Vulnerability Assessment vs Penetration Testing Pros & Cons

09 February 2021 | Scott Nursten

We put Continuous Vulnerability Assessment and Penetration Testing side-by-side and discuss the pros and cons of each approach.

Firstly, let's clear up what is meant by each, then we'll see where they belong in your cyber resilience strategy

Continuous Vulnerability Assessment

Continuous Vulnerability Assessment (CVA) is all about using an automated platform to identify vulnerabilities in your corporate IT infrastructure.

Unfortunately, as with most technologies, this is delivered in a dramatically different fashion by a number of different vendors who all have differing approaches to the challenge. The key things that a CVA platform should provide are: 

  1. Regular, automated scanning of infrastructure
  2. Clear risk prioritisation
  3. Patch management / remediation assistance or automation
  4. Live dashboards / maps of risk with integrated threat feeds

In addition, it's our belief that a good CVA platform should also provide: 

  1. Insight into configuration of common platforms highlighting weaknesses / issues
  2. Policy compliance and reporting (CIS, NIST, PCI etc)
  3. Cloud and virtual infrastructure assessment
  4. Remediation prioritisation with goals & SLAs (Cyber Essentials etc) 
  5. Ability to automate remediation / patching 
  6. Integration with service desk platforms 
  7. Ability to perform invasive & disruptive attacks

In essence, vulnerability assessment should drive your vulnerability and risk management process on a day to day basis. 

Show me Continuous Vulnerability Assessment. Book my demo


Penetration Testing

For us, Penetration Testing should be about all the things automation can't do. Unfortunately, from our experience, we find that isn't the case. In fact, most 'pen testing' is actually just a human running a CVA platform and 'top and tailing' the output to suit the 'test'.

Don't get me wrong though, that isn't what 'pen testing' is about, it's just become an easy way to sell services and deliver them at high margin. From my perspective, a pen test can include everything that's in the CVA section - more importantly though, it's about doing everything else - for example: 

  1. Red teaming (attack simulation) 
  2. Social engineering 
  3. Dumpster diving 
  4. War-driving organisation offices / war-dialling / wireless penetration
  5. Gaining physical access to premises and delivering 'pizza of doom' style attacks

These are the things that can - (I know, never say never) - not easily be automated. Beyond this, great pen testers will also offer: 

  1. Blue & purple teaming
  2. Code review
  3. Architecture reviews and response planning


Comparison side by side

Here's a handy table for you to use when deciding what you need: 

  Pen test CVA
On-going risk and vulnerability management 🙈 👍
Improved remediation & patching 🙈 👍
Continuous visibility for certifications (like Cyber Essentials) 🙈 👍
Automated asset management / alerting 🙈 👍
Gamification of SLAs with integration into service desk 🙈 👍
Visibility into changes in your infrastructure 🙈 👍
Understanding the human factors in your security 👍 🙈
Testing your physical security 👍 🙈
Ensuring IoT, wireless, phone systems are secure 👍 🙈
Testing your disposal/destruction process 👍 🙈
Testing your incident response capability 👍 🙈
Understanding your external data footprint 👍 🙈


What's clear to see from this comparison is that there are good uses for both approaches - just don't pay pen testers to do a job that can easily be automated.

Likewise, it's clear that CVA helps eliminate A LOT of risk, but there are still elements that can't be controlled through automations. 

Want to talk to Scott about CVA? Book a meeting with him here.