A square is a rectangle but a rectangle is not a square. That saying always confused me in school and reminds me of the confusion in the market place between vulnerability assessments and penetration tests. A penetration test is a vulnerability assessment but a vulnerability assessment is not a penetration test. As I speak to organizations that want to test the security of their technology infrastructure I ask “Do you want a vulnerability assessment or a penetration test?” I receive responses ranging from “aren’t they the same” to “I don’t know you tell me”. There are key differences between the two depending upon the purpose of the project. I would like to outline the purpose of the two projects and when you would select each.