During a vulnerability assessment (occasionally also incorrectly equated with penetration tests), one or more IT systems, for example a web application or a web service, are examined for security vulnerabilities.
The goal is to identify vulnerabilities that an attacker could exploit as early as possible. To do this, we draw on our toolchain and experience from penetration tests and attack simulations.
In contrast to a penetration test, the target system is mainly examined automatically in order to uncover as many problem areas as possible. In addition, although vulnerabilities are identified, no attempt is usually made to exploit them further (so-called “escalation”), as this is often time-consuming and cost-intensive.
Besides the automated vulnerability scan, an additional manual analysis of the various scan results is performed, to clean up false positives and to allow an initial risk assessment.