Vulnerability Assessment According to NIST Special Publication 800-53 (Reva vulnerability assessment is a “Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation In short, a vulnerability assessment is an analysis of a system that focuses on finding vulnerabilities and prioritizing them by risk. The verification of identified vulnerabilities is left to the output of tools and the analyst's best judgment. The validation or exploitation of a vulnerability is not performed during a vulnerability assessment. When compared with Red Team engagements, vulnerability assessments are like good housekeeping. The mitigations applied due to the result of a vulnerability assessment are an effort in attack surface reduction with the intent to reduce the ability a threat has to gain an advantage of an identified flaw. A Red Teamer or threat assumes these types of assessments are being performed and mitigated appropriately. These steps in mitigation do impact the threat landscape and may reduce attack paths, but does not directly address the threat. It's best to consider vulnerability assessments as an effort in attack surface reduction. Consider This Red Teams rarely, if ever, run standard vulnerability assessment tools. These tools are loud and generate more traffic than a Red Team engagement is willing to accept. If a vulnerability assessment tool MUST be used, there should be a question asked as to the type of security assessment being conducted, or they should be run with high focus from a "burned" attack location. Vulnerability assessments are still a critical component to security program but are quite different in scope and goals of a red team engagement.