There's vulnerability assessment and penetration testing, but what about vulnerability analysis? Before you tell me that I'm just playing with words, stop for a sec and consider: it's one thing to assess what vulnerabilities may be in a system. It's quite another to analyze and understand them. Sometimes assessing is enough. All you really want to know is if the vulnerabilities are there. Certainly, you may want to attempt to exploit the vulnerabilities and see if they can lead to penetration. That's today's standard practice.