Why would I want to hire you someone to “hack my stuff”? The technology infrastructure of most organizations, even smaller ones, can be extensive with a mix of employees, vendors and third party contractors all having varying levels of access to everything from the website to the firewall to leased printers and more. It can be difficult to ensure that everyone is doing their part to keep everything up to date and secure and, if there is a problem, it’s easy for people to point fingers at someone else. It can also easy for an attacker to identify vulnerabilities that have been overlooked (the internal IT department thought that the web development company patched it, the web development company thought that the hosting company patched it and the hosting company included language in their terms of service [that no one reads] saying that it’s not their responsibility) that can be leveraged to compromise the organization. A vulnerability assessment is an easy way to see the organization the way an attacker sees it and patch the vulnerabilities before they can be exploited by a malicious attacker.
For more information on the differences between a vulnerability assessment and a penetration test, see our previous post here.