The Crucial Role of Vulnerability Assessments and Penetration Testing in Cyber Security

Written by: David Henderson on Mar 20, 2024

Cyber threats faced globally see organisations placed under significant pressure to ensure that their digital assets are safeguarded from threat actors seeking to exploit them.

Server racks

High-profile cyber-attacks continue to demonstrate the critical importance of conducting regular security testing, tailored to your infrastructure's specific requirements. These measures are not just a part of a comprehensive security strategy; they are essential tools in your defence arsenal. Let's explore three different scenarios to understand the significance bespoke security testing can have.

A Breach Avoidable with Vulnerability Assessment

The Equifax Data Breach 2017

In 2017, Equifax, one of the largest credit bureaus in the United States, suffered a massive data breach that exposed the personal information of 147 million people. The breach was primarily due to an unpatched vulnerability in the Apache Struts web application framework, which was publicly known and for which a patch was available months before the breach occurred.

How Could Vulnerability Assessment Have Helped?

A thorough vulnerability assessment could have identified this unpatched flaw in Equifax's network. Regular assessments, which should be a staple in the security protocols of any organisation handling sensitive data, would have highlighted the need to update the Apache Struts framework, thereby potentially preventing this catastrophic breach.

A Breach Avoidable with Penetration Testing

The Target Corporation Breach

In 2013, Target, a major US retailer, experienced a breach that led to the theft of credit and debit card information of about 40 million customers. The attackers gained access through network credentials stolen from a third-party vendor and exploited weaknesses in Target's security to move laterally within the network.

Would Vulnerability Assessment Have Been Enough?

In this case, a standard vulnerability assessment might not have been sufficient. The breach involved a more complex attack vector, utilising stolen credentials and exploiting multiple lesser vulnerabilities in a chained attack. A comprehensive penetration test, simulating real-world attack scenarios, could have uncovered the weakness in vendor management and internal network security. This would have allowed Target to strengthen its security posture against such sophisticated attacks.

A Breach Beyond Penetration Testing: The Need for Assumed Compromise Testing

The SolarWinds Orion Compromise

The SolarWinds breach, a sophisticated and long-undetected supply chain attack, affected numerous US government agencies and private companies. The attackers compromised the software build environment of SolarWinds' Orion product, inserting a malicious backdoor into the software updates.

Limitations of Penetration Testing in This Scenario

Even a full penetration test might not have revealed this deeply embedded, advanced persistent threat (APT). The attackers operated at a level of stealth and sophistication that surpassed typical penetration test simulations.

The Role of Assumed Compromise Testing

This scenario underscores the importance of an 'assumed compromise' approach. Organisations need to operate under the assumption that a breach could occur (or has already occurred) and focus on rapid detection, response, and mitigation strategies. Regular assumed compromise testing, combined with robust incident response planning, could have helped in quicker identification and containment of the breach, thereby mitigating its impact.

The examples given above show exactly how important it is to continuously push your security to the next level and test your capabilities before a malicious actor decides to test them for you.

We work with clients to make bespoke infrastructure testing methodologies that are designed to push your security posture to the next stage. For organisations that are at a more mature stage of the security lifecycle, our aim is to put those mechanisms to the test, identify areas of weakness, blind spots, and potential avenues of attack.

Regardless of whether you are a large organisation with a dedicated internal security team, or a small organisation struggling to gain a footing in securing your infrastructure, there are always areas for improvement and benefits from having a fresh external perspective.

Jacob Steadman | Lead Cyber Security Consultant, PhD OSCP CSTL


These examples illustrate the layered nature of cyber security defences. Vulnerability assessments are essential for identifying and patching known weaknesses, penetration testing goes a step further in simulating real-world attacks, and assumed compromise testing prepares you for the eventuality of a breach. Each layer plays a critical role in forming a comprehensive security strategy, underlining the importance of a multifaceted approach to cyber defence. As the threat landscape continues to evolve, so must our strategies in protecting our most valuable digital assets.

Contact us today about creating a bespoke security testing strategy that fits your network infrastructure requirements and your current security posture.

Need help?

Email Us
email hidden; JavaScript is required

Or send us a quick message

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.