3 min reading
Wed Jan 19 2022

Attack Surface Management versus Vulnerability Scanning versus Penetration Testing

Silvana Precup

These are three of the most important IT security processes. Efficient separately, but better together.

If your organization is in need of immediate cyber security added value than these are your best bet.

This blog post walks you through each process, from general to in depth and from the least expensive to the more expensive. At the end there is a PRO/CON conclusion to help you decide on what could work for your organization.

How they add cyber security value

Attack Surface Management is a cybersecurity exercise where software tools are used to continuously monitor the digital infrastructure of an organisation. The goal is to have visibility on the exposure of known and unknown assets, in order to mitigate risk and reduce the attack surface. So the value added is having a big picture view of the vulnerabilities, hacker's attack vectors, and cyber security risks of exposed assets.

Vulnerability Scanning is a security exercise where a cyber-security technical expert tries to  detect and classify technical vulnerabilities or points of exploitation in network devices, computer systems, and applications. The scans are compared against a database of known vulnerabilities to see security gaps in networks, systems, and applications to be patched and fixed. The result is a list of known confirmed or potential vulnerabilities, what their impact is, and how to remediate them. Often, this result is fed into risk management and patch management practices.

Penetration testing or Pen Testing is a security exercise where a cyber-security technical expert tries to find and exploit vulnerabilities in a system. The idea behind is to simulate a cyber attack and identify any technical weaknesses in a system’s defenses, which attackers could exploit to steal information or cause business disruption. The result is a pen test report scoring the findings and recommendations for remediation. Often, this result is not only fed into risk and patch management, nor into the secure development lifecycle practice.

Where Attack Surface Monitoring meets Vulnerability Scanning

Used together these two processes can ensure a good-as-it-gets visibility for an organization's digital assets, in an approach similar to that of the attackers.

The result is the big picture of all web interfaces exposed and hosted services. Attack Surface Monitoring successfully meets Vulnerability Scanning when you can discover critical vulnerabilities in areas easily missed before the attackers can use them.

The shift in paradigm is from defensive to offensive, and trying to scan and monitor as an attacker would. In an attacker’s world, this means running reconnaissance automated tools to cover as many assets as possible in order to identify which different assets can be attacked and how.

Where Pen Testing meets Vulnerability Scanning

Vulnerability Scanning identifies systems, devices, and applications that have known vulnerabilities. While this process might include some level of vulnerability exploitation, vulnerability scans are not equivalent to Pen Testing. In fact, most full-scale penetration tests will include a vulnerability scan as a part of the broader process.

As such, vulnerability scans map exploitable conditions and lay the groundwork for penetration testing, where the tester behaves like a threat actor and attempts to compromise a device, system, service or application.

At a more granular level, penetration tests can be very thorough in examining network and application security. The goal is to infiltrate a business in such a way a real world attacker would, to find a possibility of compromise and exploit it.

Conclusion - which is best for your organization

Depending on the size and industry of the organization they can be mandatory requirements from authorities and regulators. This could be a good starting point - to check if your organization is subject to any regulatory requirements.

Secondly, when the scope and budget are decided on, there are a few things to keep in mind.

Try to have a cybersecurity strategy around the three processes which works for your risk management or third party risk management processes. At the end of the day, the goal is to have a well-oiled management of IT security risks.

Budgeting for Vulnerability Scanning and Pen Testing is more common, which shouldn’t happen at the expense of leaving out Attack Surface Monitoring. Try to include the latter in the cybersecurity budget as soon as possible.

Attack surface monitoring


  • Scans continuously and discovers new assets linked to your company whilst providing a first risk idea at a fraction of the cost of the others
  • The results should/could be used as input for Vulnerability Scanning and Penetration Testing, seeing these latter are scope and time limited and Attack Surface Monitoring isn’t.


  • It might require a learning curve or a dedicated technical expert.

Vulnerability Scanning (VS)


  • Less expensive than penetration testing, easy to perform, and can be run on a regular, automated basis.
  • More expensive than Attack Surface Monitoring
  • Discovered security gaps in networks, systems, and applications helps focus patching efforts and ultimately improving the security of the IT organization.


  • Used in isolation can give a false sense of security

Penetration Testing (PT)


  • Performed only once in a while, so it does not require process management like the others.
  • Findings and recommendations for remediation can be real value for money.


  • The cost is higher than Vulnerability Scanning and Attack Surface Monitoring

If you need help getting started, Ceeyu can support you take the first steps. Connect with us via [email protected]

Silvana Precup


Cybersecurity professional experienced in cross-functional roles bridging between top management, risk functions, IT and security operations teams. With a knack for TPRM and digital footprint.


EU’s NIS 2 Directive to improve cybersecurity across European businesses

May 24, 2022 • 2 min reading

Subdomain enumeration tools and techniques

May 5, 2022 • 11 min reading

Why your digital footprint matters

April 20, 2022 • 12 min reading