IronSights

Penetration testing

Vulnerability

A weakness in a system, application, or process that could be exploited by an attacker to gain unauthorised access, cause disruption, or achieve other malicious objectives.

Also known assecurity vulnerabilitysecurity flawsecurity weakness

In plain English

A vulnerability is any flaw that an attacker could use to their advantage. This ranges from unpatched software with a published exploit, to a misconfigured firewall rule, to a process that relies on users never making a mistake. Not all vulnerabilities are equally exploitable — risk ratings account for the likelihood of exploitation and the potential impact.

Full definition

Every system has gaps between how it was designed to work and how it actually behaves under pressure. A vulnerability is one of those gaps. It might be an unpatched operating system, a misconfigured firewall rule, a web application that accepts input it shouldn't, or a shared account with a password that hasn't changed since 2019. The gap itself isn't the incident. It's what makes the incident possible.

For Australian businesses, the practical consequence is straightforward: attackers scan for known vulnerabilities constantly, using automated tools that require almost no skill to operate. When Microsoft releases a security patch, the window between that release and active exploitation in the wild can be as short as 48 hours. The addresses this directly with its patching tiers, requiring internet-facing systems to be patched within 48 hours when exploits are known to exist.

finds vulnerabilities before attackers do. A pen tester working through a environment might find that legacy authentication protocols are still enabled, that certain sites lack controls, or that a service account carries far more permissions than the role requires. Each finding is a vulnerability. None of them are incidents yet. Left unaddressed, any one of them could become one.

Keep learning

More terms in the IronSights Glossary.