Security Onion Solutions
The difference between a vulnerability assessment and a penetration test ultimately lies in whether you attempt to exploit the discovered vulnerabilities.
Another way to think about the blackbox/whitebox distinction: Are you acting as an external attacker (blackbox) or an insider threat (whitebox)?
Red teams within organizations typically are less restricted than external pentesters. They have specific goals (not just “identify exploitable vulnerabilities”, but something more like “obtain access to X”) and a lot more latitude.
Purple teams are most common in smaller organizations with constrained resources.
OS/Software vulnerabilities are the most likely to result in privesc.
That said, only ~20% of vulnerabilities have an actual exploit, and only ~2% are actually exploited in the wild.