There are topics in cybersecurity that can be left to individual interpretation and debate, such as choosing the best possible password policies. The goal of this article is not to argue such an opinionated topic, but rather educate on a couple of cybersecurity practices that are extremely binary, but very commonly misinterpreted.
Regardless of your industry, you’ve likely heard both of these terms come up in discussions around compliance. Most regulatory bodies are increasing their enforcement of cybersecurity, and generally require companies to run both a vulnerability scan and a penetration test annually. Even without a compliance need or regulators on your back, both practices are paramount for understanding your risk.
Suffice it to say that there are third party vendors out there selling vulnerability scans under the guise of penetration tests, so it’s important to known which is which, and what questions you should be asking.