Penetration Tests and Vulnerability Scans: What Are They and Who Needs Them?

More large organizations now require penetration tests, vulnerability scans, and annual cybersecurity audits from their suppliers.

If you sell products or services to a large company or government department, they will likely require you to complete an IT security questionnaire. One question often asked on that form is, “Do you complete an annual penetration test and vulnerability scan?” We are also seeing this question in some cyber-liability insurance policy applications. What does it mean?

Essentially, if your clients are trusting you with their data (and the data of their clients), they need to ensure you’ll take good care of it. Proper data hygiene is everyone’s responsibility.

A penetration test and vulnerability scan are typically performed together. During a penetration test, experts outside your network try to break in. A vulnerability scan checks the inside of your network to see what could be exploited if something or someone malicious was able to connect to your network. Both investigations yield a detailed set of reports, including an inventory of what was discovered, a detailed list of installed hardware and software with known vulnerabilities, and a narrative from a professional as he or she attempts to exploit vulnerabilities that were discovered. The narrative lists what services were breached in the test. The reports suggest ways the problems can be mitigated. Often a clean report or at least documented progress towards a clean report is required to do business with a large entity.

Acting as a second set of eyes, Pegasus has performed these tests and presented reports to organizations with small IT departments to catch problems before they can be exploited by criminals. More and more clients (and clients of our clients) are requesting these reports on an annual basis. We have a separate team inside Pegasus that performs these scans to help ensure unbiased results. As you probably guessed, we have companies check our own systems regularly because we take our role as protectors of your data seriously.

If you’re curious to learn more, you can read about pentests and vulnerability scans on our website or contact us.