Most of the time, in practice, a security audit simply involves a vulnerability assessment using automated tools. However, there are significant differences between a vulnerability assessment and a penetration test: a vulnerability assessment can be done using a security scanner, while a pentest should rely on the tester’s know-how and on manual methods of finding and exploiting vulnerabilities. In other words, one is like checking a wall for visible cracks, while the other amounts to applying the right amount of pressure to check the real strength.
In most cases, the automated tools that are used all tend to employ the same testing patterns, vulnerability signatures and reporting mechanisms. However, as IT infrastructures grow in complexity and more companies than ever are migrating to web-based, custom-tailored applications, these automated tools are becoming less effective at finding security breaches, with the scanning results being correspondingly more inaccurate.
We believe that providing security-audit services based solely on automated tools is an incomplete approach; our service, therefore, is much more pro-active, and is based on a real attacker's perspective, rather than that of a ‘typical’ network administrator, whose approach is primarily a defensive one. In effect, we think like the burglar, not the homeowner!