Security Onion Solutions
The difference between a vulnerability assessment and a penetration test ultimately lies in whether you attempt to exploit the discovered vulnerabilities.
Another way to think about the blackbox/whitebox distinction: Are you acting as an external attacker (blackbox) or an insider threat (whitebox)?
Phases:
Red teams within organizations typically are less restricted than external pentesters. They have specific goals (not just “identify exploitable vulnerabilities”, but something more like “obtain access to X”) and a lot more latitude.
Purple teams are most common in smaller organizations with constrained resources.
OS/Software vulnerabilities are the most likely to result in privesc.
That said, only ~20% of vulnerabilities have an actual exploit, and only ~2% are actually exploited in the wild.