What is the key difference between a vulnerability assessment and a penetration test?

  1. Vulnerability assessments are more expensive
  2. Vulnerability assessments identify weaknesses; penetration tests exploit them to demonstrate impact ✓
  3. Penetration tests only examine network devices
  4. Vulnerability assessments are automated; penetration tests are always manual

Correct answer: Vulnerability assessments identify weaknesses; penetration tests exploit them to demonstrate impact

Option B is correct because a vulnerability assessment enumerates and prioritizes weaknesses in a system without attempting to exploit them, while a penetration test goes further by actively attempting to exploit those weaknesses to demonstrate real-world impact and validate that vulnerabilities are truly exploitable. Option A is incorrect because cost depends on scope and methodology, not the type of assessment; penetration tests are often more expensive than vulnerability assessments due to their manual, in-depth nature. Option C is incorrect because penetration tests evaluate the full attack surface including applications, social engineering, and physical controls, not only network devices. Option D is incorrect because vulnerability assessments commonly use automated tools but also include manual analysis, and penetration tests routinely leverage automated tools alongside manual techniques.

Topic: · vulnerability assessment, penetration testing, security testing, cissp

Practice CISSP Questions Free