Which statement best differentiates vulnerability assessment from penetration testing?

• A. Vulnerability assessment identifies weaknesses; penetration testing actively exploits to verify risk.
• B. Penetration testing identifies weaknesses; vulnerability assessment confirms risk by exploitation.
• C. Vulnerability assessment is only about network devices; penetration testing is about applications.
• D. Penetration testing replaces vulnerability assessment with a full compliance audit.

Answer: (A)

The main idea being tested is the difference between discovering weaknesses and confirming risk by actively testing defenses. A vulnerability assessment is about finding weaknesses in systems, software, configurations, and controls, usually with automated scanners, and then prioritizing them for remediation. It does not prove whether those weaknesses can be exploited in a real attack. Penetration testing takes a step further by simulating real attacker techniques and attempting to exploit chosen weaknesses in a controlled and authorized way, so you can see if the vulnerability can actually be leveraged to gain access or achieve other objectives. This hands-on exploitation provides concrete evidence of risk and helps prioritize remediation based on real impact. So the statement that vulnerability assessment identifies weaknesses while penetration testing actively exploits to verify risk best captures the distinction. The other ideas either blur the roles, limit scope incorrectly, or imply replacement with audits, which doesn’t reflect how these activities complement each other in security testing.