Do you need a penetration test or a vulnerability assessment?

Start with a Vulnerability Assessment

A vulnerability assessment is a broad, systematic review of your systems that finds and ranks known weaknesses — missing patches, misconfigurations, exposed services — and hands you a prioritized list of what to fix.

Your answers point to gaps in the fundamentals. A penetration test right now would mostly rediscover issues a scan surfaces faster and far more cheaply. Get the full picture first, fix what matters, and a future pen test will deliver much more value.

You're ready for a Penetration Test

A penetration test is a human-led, goal-oriented attack simulation. Instead of just listing weaknesses, a tester chains them together the way a real attacker would — to show whether someone could actually break in, how far they'd get, and what it would cost you.

You already have the fundamentals in place, or you need to validate your defences against a specific target or requirement. That's exactly when a penetration test earns its keep: it tests reality, not theory.

Note: because a requirement specifically calls for a penetration test, this is the engagement you'll need to satisfy it.

Both — in the right order

These two services answer different questions. A vulnerability assessment asks “what weaknesses do we have?” A penetration test asks “can an attacker actually exploit them, and how far would they get?”

Your answers point to value in both — and the most cost-effective path is to sequence them: run a vulnerability assessment first to find and fix the obvious issues, then a penetration test to validate your defences against a real-world attacker. That way the test spends its time on genuine attack paths, not the low-hanging fruit a scan would have caught.

Note: a requirement specifically calls for a penetration test, so you'll still need the pen test itself — running the assessment first simply means it finds real risk instead of basic hygiene gaps.