Get in touch with us


2733 Lancaster Rd, Suite 220
Ottawa, Ontario,
K1B 0A9

Office hours

Workdays at
9:00am – 6:00pm
Call us
+1 866 657 7620
+1 613 526 4945

Let’s get connected

Get in Touch


How Vulnerability Scanning Is Used for Penetration Testing

By the time a data breach occurs, it may be too late to measure the effectiveness of your vulnerability management program. Penetration testing can help detect weaknesses – before threat actors do. Here’s how to get started.

Looking to proactively measure the effectiveness of your vulnerability management program? How can you assess the strengths and weaknesses of your program before a data breach occurs?

Penetration testing – of which vulnerability scanning is a key component – can help your organization find weaknesses, allowing you to resolve them before threat actors can exploit them.

Gauge your vulnerability assessment maturity

If you’re unsure of the maturity of your vulnerability assessment and management program, check out this short What’s Your Cyber Defender Style? quiz to see how your organization’s cybersecurity practices rank. You can also get more information about the maturity of your organization’s vulnerability assessment practices in the Cyber Defender Strategies report.

Before delving into the critical role vulnerability scanning plays within penetration testing, let’s define its purpose and how it differs from vulnerability management and assessment.

What is penetration testing?

Penetration testing is a stand-alone activity, often repeated quarterly or annually by a third party. The primary objective is to provide organizations with independent insight into the effectiveness of their vulnerability assessment and management processes.

Penetration tests generally consist of five phases:

  1. Initial engagement: Selecting a firm to conduct the penetration test and outlining goals and expectations
  2. Scoping: Establishing the targets, methodology and boundaries for the test
  3. Testing: Conducting the penetration test based on agreed-upon parameters
  4. Reporting: Reviewing the findings from the penetration test
  5. Follow-up: Tracking remediation progress and retesting

Tip: During the scoping phase, it’s best to share results from your organization’s vulnerability management program, so the third-party penetration tester has a baseline to draw accurate conclusions on the efficacy of your program.

The difference between penetration testing and vulnerability management

Penetration testing sheds light on whether the vulnerability assessment and management program is working correctly and indicates areas of improvement. For example, the penetration test provides a point-in-time view of whether environments contain known vulnerabilities. Vulnerability management, on the other hand, is ongoing and continuous.

The organization’s cybersecurity operations team is responsible for vulnerability management. They inform, drive, prioritize and verify vulnerability remediation for an organization. For this reason, the security team should perform vulnerability scans as frequently as operationally possible because the list of known vulnerabilities changes from day to day, as does their threat level.

Where does vulnerability scanning fit in?

During the testing phase of a penetration test, depending on the scope, the tester will perform vulnerability scans across an organization’s entire attack surface or a specifically targeted subset. The latter could include, but is not limited to: external networks, internal networks, cloud assets, web applications, IoT and/or OT.

These tests take two primary approaches:

  1. Blackbox testing, where no information is shared with the tester
  2. Whitebox testing, where all information about the target is shared with the tester

Nessus Professional, the most widely used vulnerability scanner in the world, can assist with both of these test types as it provides out-of-the-box templates for both credentialed and non-credentialed scanning.

Vulnerability scanning in blackbox testing

When scanning for vulnerabilities as part of blackbox testing, network sweeps are typically performed using Internet Control Message Protocol (ICMP), Transmission Control Protocol (TCP) or address resolution protocol (ARP) pings without the use of credentials. Once an asset is discovered, the scan will query any open network ports on the device to collect:

  • Operating system information about the device
  • The network services running on the device
  • The network-based vulnerabilities on the device

This information is then used to determine the vulnerabilities that reside on the target that may be susceptible to remote exploitation, which is particularly problematic for assets on an external network.

Vulnerability scanning in whitebox testing

Vulnerability scanning during whitebox testing is usually a lot more targeted, as all the information about the target is already known. This vulnerability scan would typically be performed using a credentialed vulnerability and configuration scan, whereby the scanner would remotely log in to an asset and assess any vulnerabilities or configurations that may be susceptible to exploitation with both local and remote attacks.

How can Nessus Professional help with penetration testing?

Nessus Professional has built-in templates you can use to perform both blackbox and whitebox tests quickly and easily. These templates enable credentialed, non-credentialed and configuration scanning, which support several compliance frameworks; CIS, HIPPA, DISA STIG and many others.

Tailor templates to suit the required level of testing

You can customize the templates to suit the level of testing required. For instance, you can set your preference to avoid false positives or false negatives.

To avoid false positives, Nessus Professional, by default, will only report vulnerabilities that it can confirm exist. During a penetration test, this may not be the desired output. Instead, the penetration tester may want to collect information on all possible vulnerabilities and then perform manual testing to eliminate any false positives within the results.

Also, Nessus Professional, by default, is configured to only perform safe checks, which means the scans carried out as part of the penetration test will cause no damage or downtime to the targets. The data collected during the vulnerability scans can easily be exported to assist the penetration tester in building their report using metrics like CVSS to help the organization understand the criticality of the findings.

The data collected during these tests can also be used to drive other key aspects of penetration testing. For instance, during a testing scenario, the data that has been collected can be used to map out cyberattack paths, including:

  • How an attack could breach an organization’s network
  • How a breach could traverse the network once inside
  • What key assets could be exploited – and the level of data loss that may occur

In turn, the scenarios can then be used to: 1) inform the organization where their weaknesses lie and 2) perform simulated, non-damaging attacks on the organization’s environment to test out their defenses and responses to such an attack.

Get more information

Find out how Nessus Professional can help with penetration testing.