Published On: December 28th, 2021Categories: CISO Challenges, Compliance, IT ChallengesTags: ,

Penetration testing can be considered the gold standard when it comes to technical cybersecurity assessments – but it’s definitely not the best place to start for most organizations. In fact, a penetration test from a qualified 3rd party is generally one of the last actions taken by an organization. It is performed to validate an organization’s vulnerability management program and test mitigating/compensating controls.


Unless explicitly required (e.g PCI DSS 11.3, CMMC CA.4.164, etc), a penetration test is not the best place to start. Considering the cost of the average penetration test, the budget would be better allocated to establishing a sound vulnerability management program. Penetration testing builds on a vulnerability assessment, it’s a manual effort where security vulnerabilities are actively exploited. The vulnerability assessment gives you the opportunity to identify areas of risk and to remediate those issues prior to ever conducting the penetration test. After the fixes have been made, the penetration test validates the effectiveness of your security controls.

A Better Question to Ask

Do I want to validate the effectiveness of my controls? Or, do I want to just know where my issues are so I can fix them? It’s more likely the latter.

A penetration test is a point-in-time assessment. And, professional services organizations often don’t include remediation or validation testing without an added charge. In contrast, a vulnerability management program would include recurring testing of assets and identification of security issues.

After All That, Why Perform a Penetration Test?

  • The organization has an audit or compliance mandate (PCI, CMMC, etc) requiring a penetration test
  • The organization is aligning to a framework (e.g. NIST CSF, CIS) that requires or recommends a penetration test
  • The organization has an established vulnerability management program and a penetration test is 3rd party validation of the vulnerability management programs health.
  • The organization has a 3rd party requirement to perform a penetration test by name

We always recommend your organization starts with a vulnerability assessment and looks to implement a vulnerability management program. After all, continuously identifying and resolving security issues is the whole point, isn’t it? Do this for a few months, remediate issues, and then schedule a penetration test.

How Does VULNERA Help?

VULNERA does all the heavy lifting and gets you set up with a vulnerability management program, allowing your organization to focus on what really matters, continuously addressing security issues.

When you need a penetration test, we’ll roll up our sleeves and perform the manual exploitation and validate your program’s health.

Share This Story, Choose Your Platform!

Accelerate Security Teams

Schedule a free consultation with a vulnerability expert to discuss your use cases and to see a demo.