312-50V10 · Question #797
Why is a penetration test considered to be more thorough than vulnerability scan?
The correct answer is B. A penetration test actively exploits vulnerabilities in the targeted infrastructure, while a. A penetration test goes beyond identifying vulnerabilities by actively exploiting them to demonstrate real-world impact, whereas a vulnerability scan only identifies and reports potential weaknesses.
Question
Why is a penetration test considered to be more thorough than vulnerability scan?
Options
- AVulnerability scans only do host discovery and port scanning by default.
- BA penetration test actively exploits vulnerabilities in the targeted infrastructure, while a
- CIt is not - a penetration test is often performed by an automated tool, while a vulnerability scan
- DThe tools used by penetration testers tend to have much more comprehensive vulnerability
How the community answered
(36 responses)- B92% (33)
- C6% (2)
- D3% (1)
Why each option
A penetration test goes beyond identifying vulnerabilities by actively exploiting them to demonstrate real-world impact, whereas a vulnerability scan only identifies and reports potential weaknesses.
Vulnerability scanners perform much more than host discovery and port scanning - they also check service versions, configurations, and known CVEs against a comprehensive signature database.
A penetration test simulates a real attacker by actively exploiting discovered vulnerabilities to gain access or escalate privileges, demonstrating actual risk; a vulnerability scan only identifies and reports potential vulnerabilities without attempting exploitation, making penetration testing more thorough in validating real-world exposure.
This reverses the reality; penetration tests are typically performed by skilled human testers using manual techniques, while vulnerability scans are the predominantly automated process.
The comprehensiveness of tool vulnerability databases is not the defining distinction; the key difference is active exploitation versus passive identification of weaknesses.
Concept tested: Penetration testing vs vulnerability scanning methodology
Source: https://csrc.nist.gov/publications/detail/sp/800-115/final
Topics
Community Discussion
No community discussion yet for this question.