Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog


How Vulnerability Scanning Is Used for Penetration Testing

By the time a data breach occurs, it may be too late to measure the effectiveness of your vulnerability management program. Penetration testing can help detect weaknesses – before threat actors do. Here’s how to get started.

Looking to proactively measure the effectiveness of your vulnerability management program? How can you assess the strengths and weaknesses of your program before a data breach occurs? 

Penetration testing – of which vulnerability scanning is a key component – can help your organization find weaknesses, allowing you to resolve them before threat actors can exploit them. 

Gauge your vulnerability assessment maturity

If you’re unsure of the maturity of your vulnerability assessment and management program, check out this short What’s Your Cyber Defender Style? quiz to see how your organization’s cybersecurity practices rank. You can also get more information about the maturity of your organization’s vulnerability assessment practices in the Cyber Defender Strategies report.

Before delving into the critical role vulnerability scanning plays within penetration testing, let’s define its purpose and how it differs from vulnerability management and assessment.

What is penetration testing?

Penetration testing is a stand-alone activity, often repeated quarterly or annually by a third party. The primary objective is to provide organizations with independent insight into the effectiveness of their vulnerability assessment and management processes. 

Penetration tests generally consist of five phases: 

  1. Initial engagement: Selecting a firm to conduct the penetration test and outlining goals and expectations
  2. Scoping: Establishing the targets, methodology and boundaries for the test
  3. Testing: Conducting the penetration test based on agreed-upon parameters
  4. Reporting: Reviewing the findings from the penetration test
  5. Follow-up: Tracking remediation progress and retesting

Tip: During the scoping phase, it’s best to share results from your organization's vulnerability management program, so the third-party penetration tester has a baseline to draw accurate conclusions on the efficacy of your program.

The difference between penetration testing and vulnerability management

Penetration testing sheds light on whether the vulnerability assessment and management program is working correctly and indicates areas of improvement. For example, the penetration test provides a point-in-time view of whether environments contain known vulnerabilities. Vulnerability management, on the other hand, is ongoing and continuous. 

The organization’s cybersecurity operations team is responsible for vulnerability management. They inform, drive, prioritize and verify vulnerability remediation for an organization. For this reason, the security team should perform vulnerability scans as frequently as operationally possible because the list of known vulnerabilities changes from day to day, as does their threat level.

Where does vulnerability scanning fit in?

During the testing phase of a penetration test, depending on the scope, the tester will perform vulnerability scans across an organization’s entire attack surface or a specifically targeted subset. The latter could include, but is not limited to: external networks, internal networks, cloud assets, web applications, IoT and/or OT. 

These tests take two primary approaches: 

  1. Blackbox testing, where no information is shared with the tester
  2. Whitebox testing, where all information about the target is shared with the tester

Nessus Professional, the most widely used vulnerability scanner in the world, can assist with both of these test types as it provides out-of-the-box templates for both credentialed and non-credentialed scanning.

Vulnerability scanning in blackbox testing

When scanning for vulnerabilities as part of blackbox testing, network sweeps are typically performed using Internet Control Message Protocol (ICMP), Transmission Control Protocol (TCP) or address resolution protocol (ARP) pings without the use of credentials. Once an asset is discovered, the scan will query any open network ports on the device to collect: 

  • Operating system information about the device
  • The network services running on the device
  • The network-based vulnerabilities on the device

This information is then used to determine the vulnerabilities that reside on the target that may be susceptible to remote exploitation, which is particularly problematic for assets on an external network.

Vulnerability scanning in whitebox testing

Vulnerability scanning during whitebox testing is usually a lot more targeted, as all the information about the target is already known. This vulnerability scan would typically be performed using a credentialed vulnerability and configuration scan, whereby the scanner would remotely log in to an asset and assess any vulnerabilities or configurations that may be susceptible to exploitation with both local and remote attacks.

How can Nessus Professional help with penetration testing?

Nessus Professional has built-in templates you can use to perform both blackbox and whitebox tests quickly and easily. These templates enable credentialed, non-credentialed and configuration scanning, which support several compliance frameworks: CIS, HIPAA, DISA STIG and many others. 

Tailor templates to suit the required level of testing

You can customize the templates to suit the level of testing required. For instance, you can set your preference to avoid false positives or false negatives. 

To avoid false positives, Nessus Professional, by default, will only report vulnerabilities that it can confirm exist. During a penetration test, this may not be the desired output. Instead, the penetration tester may want to collect information on all possible vulnerabilities and then perform manual testing to eliminate any false positives within the results. 

Also, Nessus Professional, by default, is configured to only perform safe checks, which means the scans carried out as part of the penetration test will cause no damage or downtime to the targets. The data collected during the vulnerability scans can easily be exported to assist the penetration tester in building their report using metrics like CVSS to help the organization understand the criticality of the findings.

The data collected during these tests can also be used to drive other key aspects of penetration testing. For instance, during a testing scenario, the data that has been collected can be used to map out cyberattack paths, including: 

  • How an attack could breach an organization’s network
  • How a breach could traverse the network once inside
  • What key assets could be exploited – and the level of data loss that may occur

In turn, the scenarios can then be used to: 1) inform the organization where their weaknesses lie and 2) perform simulated, non-damaging attacks on the organization’s environment to test out their defenses and responses to such an attack. 

Get more information

Find out how Nessus Professional can help with penetration testing.

Start your free trial now

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.


Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.