The approach method is different depending on the type of context in which the customer operates, the surface potentially exposed to an attack and the acceptable residual risk.
Depending on what emerged in the initial analysis phase, one or more technologies will be chosen with which to perform the vulnerability analysis by carefully evaluating the results to the customer’s context.
The technical vulnerability of an application is NOT an indicator of absolute danger, but it becomes only after careful contextualization to the business processes, the nature of the information processed and the acceptable risk for the customer.