The pen test we do through Nessus is passive, our goal is to identify and report the vulnerabilities we find and allow you to close the holes and harden your systems. A majority of vendors find passive pen test results sufficient but some require active pen test results. We don’t do active pen testing because of the risk and liabilities involved. – Recent Communication From A Security Vendor
Who shall remain nameless. There is a difference between penetration tests and security vulnerability scans. The two do not meet. Neither does an admission of a passive pen test or an annual security vulnerability scan being acceptable to the majority. I’ve never heard those words in the same sentence.
This kind of misinformation to score the deal is ugly. Not only is it a risk to the organization writing the check, but it’s your reputation on the line for signing the deal. Only good security people will see through this…