What is the difference between vulnerability assessment and penetration testing in the Annex B context?

The main idea here is distinguishing identification from demonstration of risk. A vulnerability assessment is about systematically finding weaknesses in a system—known flaws, misconfigurations, and outdated software—usually through automated scans and inventories. It tells you what could be at risk but doesn’t prove that an attacker can actually exploit it. Penetration testing goes a step further: after weaknesses are identified, it attempts to exploit them in a controlled, permissioned way to see if an attacker could gain access, escalate privileges, or reach sensitive data. This demonstrates real-world exploitability and the potential impact, not just the presence of a flaw. In Annex B contexts, the goal is to assess exploitable risk, which requires this practical validation beyond mere identification. That’s why the other statements aren’t correct: penetration testing isn’t random scanning and isn’t identical to vulnerability assessment; while vulnerability scanning is often automated, it isn’t exclusively manual, and that distinction matters for how risk is measured.