A vulnerability assessment is the process of finding and measuring the severity of vulnerabilities in a system. Vulnerability assessments yield lists of vulnerabilities, often prioritized by severity and/or business criticality.

Vulnerability assessments typically involve the use of automated testing tools such as web and network security scanners, whose results are typically assessed, and escalated to development and operations teams. In other words, vulnerability assessments involve in-depth evaluation of a security posture designed to uncover weaknesses and recommending appropriate remediation or mitigation to remove or reduce risk.

In contrast, penetration testing, is typically a goal oriented exercise. A pentest has less to do with uncovering vulnerabilities, and is rather more focused on simulating a real-life attack, testing defences and mapping-out paths a real attacker could take to fulfil a real-world goal. In other words, a penetration test is usually about how an attacker is able to breach defences and less about specific vulnerabilities.