Vulnerability Scanning, Penetration Testing, and Cyber Essentials Plus – What’s the difference?

We are often asked to describe the differences between the different levels of technical assurance that we offer, writes Director Tony Wilson.

In this blog we will focus on three different types of service and conclude with a hybrid service designed for companies with smaller budgets called a “Cyber Audit”:

  1. Cyber Essentials Plus
  2. Vulnerability Scanning
  3. Penetration Testing

Each has its own set of strengths and weaknesses. It should be noted that this blog is discussing these services in general terms – it is quite possible to scope a penetration test to encompass all three of the above, Cyber Essentials Plus incorporates an internal and external vulnerability scan and, as in our case, we add value to a vulnerability scan to include manual probing and become closer to a penetration test where requested.

So, we’ve established that the merits of each service can be confusing, and this blog should therefore only be read as how we deliver the above services, not how other companies approach them.

There are a lot of similarities between the different methods but there are also major differences. A diagram of the overlap between them can be seen below, followed by a summary of each service:



Cyber Essentials Plus

This builds upon the level of assurance required by the Cyber Essentials Basic questionnaire (available on this site) and requires the Certification Body to check the configuration of Firewalls, servers, endpoints and mobile devices.

The level to which the devices are checked follows prescribed test cases set out by the National Cyber Security Centre (NCSC).

The perceived threat actor is a low skilled attacker that has access to freely available tools. However, don’t be fooled by the term “low skilled”, some of the free point-and-shoot tools available online automate a lot of advanced techniques – and some are starting to incorporate Artificial Intelligence.

Abiding by Cyber Essentials is estimated to protect companies from 80% of common online threats that prey on systems that are often running out-of-the-box installations that use default credentials, old versions of software containing known vulnerabilities, etc.

The basic steps of applying security updates, changing default passwords, and closing unnecessary firewall ports would have saved many large companies the embarrassment of reputation damaging headlines. Even the Wannacry Ransomware attack that brought the NHS to its knees in 2017 would have been thwarted if companies had abided by Cyber Essentials principles and updated Operating Systems with the latest security patches.

An external scan is performed as part of Cyber Essentials Plus to find weaknesses in a company’s internet facing infrastructure. An internal scan is conducted, that generally goes beyond most penetration tests, using administrative privileges to allow the devices to tell the scanner how it is configured and what versions of software are installed to alert management to possible areas of compromise. The theory being that, if they plug all the findings, they will make their adversary’s task a lot harder.

This is why Cyber Essentials Plus is seen to be a protective scheme – the devices are put into a state of readiness against attacks emanating from the internet.

Cyber Essentials Certification Audits are typically performed annually but, as security never sleeps, companies sometimes also perform ongoing, lower cost vulnerability scans to ensure this level of security is being maintained.

Vulnerability Scanning

Our Vulnerability Scanning services are often used to keep companies informed of changes that may have occurred within their infrastructure, such as test firewall ports and services that were opened up but never removed, or automatic updates that were presumed to have been applied but have failed.

As mentioned in the Cyber Essentials Plus section, automated scans can be used with, or without, credentials. If a scanner is given credentials, it can go a lot further into the system to check for weaknesses.

Vulnerability scanning can produce a good overview of a company’s “attack surface”, i.e. a window into what an attacker would see during their reconnaissance phase. Securing all these points of entry means the attacker will have nowhere to go (in theory).

Some scanners can also check web applications by, for example, firing payloads into web forms and, depending on the responses, inform you whether a system is susceptible to SQL Injection (a weakness that has led to many high-profile companies hitting the headlines).

If a scanner is used incorrectly, a company may be lulled into a false sense of security. For example, a scan report may show no issues with the firewall – but as the firewall is doing its job correctly, and blocking the probes after a short period of time because it believes it’s under attack,  this could mean that an unsecure FTP port was never checked and leaving it open to the world.

We use hacking techniques (slow scanning and direct probing of commonly attacked ports) where required, to ensure the best possible chance of returning quality results.

A scanner is not capable of gathering context and putting itself into a software developer’s mindset, for example if an error message has spelling mistakes in it, or a function doesn’t behave as expected, it tells the attacker that this part of the system perhaps hasn’t been sufficiently tested and may be a good area on which to focus.

To really put a company’s systems through its paces, a penetration test is required.

Penetration Test

Human decision making is required to fully test a system. There is currently no substitute to reacting to error messages, spotting inconsistencies, and then selecting the correct tool for the job.

Even the way tools are used comes into play – too aggressive and the system may lock you out (and give the impression of being secure), too soft and you may not get all the results you require in the time allocated.

The Penetration Tester will build upon the findings of the reconnaissance phase (which utilises scanning tools as required), and then attempts to exploit them, either manually or using tools designed specifically for the task in hand. Such tools would likely include network interception functions, relaying captured credentials and using payloads that are known to exploit a given vulnerability.

Penetration Testers generally work out given scenarios with clients, for example:

  • An attacker has guessed the company’s WiFi Password – what can they do now they are on the network?
  • Can our company be accessed from the internet – if so how far can an attacker go without having any credentials?
  • A user’s machine has been compromised via a phishing attack. How far can the attacker get with the credentials of a standard user?

There are many more scenarios, including those relating to social engineering (where an attacker enters the building pretends to be, for example, part of the maintenance team and plug their device into the network).

It is important to scope a penetration test correctly and be as realistic as possible – think of ways that an attacker may engage with your networks and work out which vectors should be tested.


All the services mentioned play a key part in securing a company’s IT infrastructure, the main takeaway is to utilise the services appropriately, our recommendation would be:

  1. Secure all devices and networks to Cyber Essentials Plus level
  2. Continually monitor unexpected changes through vulnerability scanning
  3. Periodically test the defences with a well scoped penetration test.

We know that this solution is not for every company, especially those with limited budget, so we have devised a “Cyber Audit” service, which curates aspects of each service and delivers them as one low cost package.

For more details of our Cyber Audit package, please contact