Vulnerability and penetration testing for verifiable security

Many organisations do not have a complete overview of which of their systems are externally accessible, and even fewer know which known vulnerabilities in these systems have already been documented but not yet remediated. These gaps are precisely what attackers exploit in a targeted manner. Attacks on critical infrastructures affect organisations of all sizes, across all industries, and often without warning.

The current situation report from the German Federal Office for Information Security (BSI) highlights that the security situation in Germany remains at a tense level.¹ On average, 119 new vulnerabilities are recorded worldwide every day, while attack surfaces remain insufficiently protected.²

This leads to a concrete problem. In addition to defending against attacks, gaining transparency over one’s own attack surface is becoming increasingly important. Only when it is clear where vulnerable systems actually exist and how critical they are can risks be meaningfully prioritised and mitigation measures effectively managed. Vulnerability assessments and penetration tests provide this clarity. They systematically examine attack surfaces before a real attacker can exploit them.

A vulnerability assessment (VA) systematically identifies known vulnerabilities in systems, networks, applications or cloud environments and evaluates them based on their criticality. This results in a reliable overview of all attack vectors, forming the basis for vulnerability management and all subsequent security measures.

The main advantage lies in prioritisation. Security and IT teams gain visibility not only into existing vulnerabilities but also into where to act first. This is particularly valuable when resources are limited and not all findings can be addressed simultaneously.

Core components of a professional vulnerability assessment:

Vulnerability assessments must be performed regularly as part of continuous vulnerability management. They should also be conducted after significant system changes, such as the introduction of new systems, applications or cloud services, major infrastructure changes or migrations. Other triggers include mergers and acquisitions (IT due diligence) or as a baseline assessment before a penetration test. A re-analysis of vulnerabilities may also be required in the context of compliance requirements (e.g. DORA, NIS2, ISO 27001, BSI IT-Grundschutz).

Vulnerability tests reveal existing vulnerabilities, but do not show how these can be combined and exploited in a real-world attack.

They provide a fact-based prioritisation, but are no substitute for a manual security assessment carried out by experienced experts. To validate actual exploitability, a penetration test is the appropriate approach.

A penetration test (pentest) verifies whether identified vulnerabilities can actually be exploited and what the resulting impact would be. Qualified IT security experts, often referred to as ethical hackers or red team specialists, simulate targeted attacks on systems, applications or processes. The focus is not only on identifying vulnerabilities but on proving their exploitability and assessing the associated damage potential.

A penetration test shows how far an attacker could get: which vulnerabilities can be combined, how deeply they can penetrate the network, and which data or systems could actually be compromised.

This is the key difference compared to a vulnerability assessment: instead of merely identifying weaknesses, the goal is to understand what an attacker could realistically do with them.

A penetration test can address various attack vectors. Here are the most common areas of focus:

A pentest follows a defined methodology based on recognised standards (PTES, OWASP, BSI guidelines):

Both methods pursue different objectives. The following overview summarises the key differences.

A proactive security programme integrates both approaches into a continuous process. Organisations relying solely on regular scans may know their vulnerabilities but not which ones are truly critical in an attack scenario.

Those relying only on penetration tests risk missing newly emerging vulnerabilities between tests.

The recommended approach is continuous vulnerability assessment combined with event-driven penetration testing after major changes, annually, or in line with compliance requirements. Results from both methods should feed into a unified remediation prioritisation process, followed by retesting to validate fixes.

Start with a comprehensive vulnerability assessment to establish an up-to-date baseline for your security status. Use the results to prioritise your actions and commission a penetration test that focuses specifically on critical areas and attack vectors. This will maximise the insights you gain whilst optimising the use of resources.

Our services in the field of vulnerability assessment and penetration testing

Frameworks such as NIS2, ISO 27001, DORA, PCI DSS and BSI IT-Grundschutz require organisations to demonstrate that technical security measures are implemented and regularly tested for effectiveness. Failure to provide such evidence can result in fines and loss of trust from customers and regulators.

Both methods deliver documented, reproducible results that can be directly incorporated into compliance reports and audit documentation.

The quality of vulnerability assessments (VA) and penetration tests depends largely on the service provider’s expertise. The following criteria are key when making a selection.

Vulnerability assessments and penetration tests are not competing approaches. Rather, they are complementary pillars of an effective IT security strategy. Vulnerability assessments provide visibility and enable continuous, fact-based vulnerability management. Penetration tests demonstrate the potential actions of attackers.

Combining the two into an ongoing process establishes a robust basis for risk management, credible communication at board level and demonstrable compliance with growing regulatory requirements.