What is the difference between vulnerability assessment and penetration testing in the Annex B context?

• A. Vulnerability assessment scans for known weaknesses; penetration testing attempts to exploit them to test exploitable risk.
• B. Penetration testing is just random scanning.
• C. They are identical.
• D. Vulnerability assessment is always manual.

Answer: (A)

The main idea here is distinguishing identification from demonstration of risk. A vulnerability assessment is about systematically finding weaknesses in a system—known flaws, misconfigurations, and outdated software—usually through automated scans and inventories. It tells you what could be at risk but doesn’t prove that an attacker can actually exploit it.

Penetration testing goes a step further: after weaknesses are identified, it attempts to exploit them in a controlled, permissioned way to see if an attacker could gain access, escalate privileges, or reach sensitive data. This demonstrates real-world exploitability and the potential impact, not just the presence of a flaw. In Annex B contexts, the goal is to assess exploitable risk, which requires this practical validation beyond mere identification.

That’s why the other statements aren’t correct: penetration testing isn’t random scanning and isn’t identical to vulnerability assessment; while vulnerability scanning is often automated, it isn’t exclusively manual, and that distinction matters for how risk is measured.