A vulnerability assessment is a structured process of identifying, categorising, and prioritising security weaknesses across a defined set of assets. It is typically performed using automated scanners and is followed by manual triage to filter out false positives and confirm exploitability.
How it differs from a penetration test
A vulnerability assessment answers “what weaknesses exist?” using broad automated coverage. A penetration test answers “can an attacker actually exploit them and what damage can be done?” using manual technique to chain findings into realistic attack paths. Many organisations run continuous vulnerability assessments and commission penetration tests annually or after major changes.
Typical process
The first step is asset discovery: identifying every system in scope, including cloud instances, containers, and shadow IT. Authenticated scanning then logs into each asset to read installed software versions, configuration, and missing patches. Unauthenticated scanning probes from outside as an attacker would. Results are merged, deduplicated, and ranked by severity and business context. The final report supports remediation planning by linking each finding to a fix, an owner, and a deadline.
Common tools
Network and infrastructure scanning is usually performed with Nessus, OpenVAS, or Qualys. Web application scanning uses tools such as Burp Suite Pro Scanner, OWASP ZAP, or Acunetix. Cloud configuration is reviewed with native services (AWS Inspector, Azure Defender for Cloud) or third-party platforms such as Prisma Cloud and Wiz.
Limitations
Scanners excel at known vulnerabilities (those with a CVE and a signature) but struggle with logic flaws, broken access control, and chained exploits that require human reasoning. They also generate false positives that demand human triage. A vulnerability assessment is the right baseline for ongoing hygiene but should be complemented by manual penetration testing for higher assurance.
Related terms
See also: vulnerability, Nessus, penetration testing, and exploit.
Leave a Reply