Vulnerability Scan Analysis
Triage a vulnerability scan report by actual business risk — not just CVSSCommon Vulnerability Scoring System — Standard severity rating 0.0-10.0 scores. Identify false positives, contextualize findings against the environment, and build a prioritized remediation plan.
What You’ll Practice
- Distinguishing scanner severity from real-world risk based on asset exposure, data sensitivity, and compliance scope
- Identifying false positives caused by version string mismatches, platform misidentification, and backported patches
- Contextualizing CVSSCommon Vulnerability Scoring System — Standard severity rating 0.0-10.0 scores against network architecture (internet-facing vs. internal, segmented vs. flat)
- Making risk-based prioritization decisions under competing constraints
How the Exam Tests This
Objective 4.9 asks you to “use data sources to support an investigation.” CompTIA expects you to analyze scan output, correlate with environmental context, and prioritize by actual impact — not sort by CVSSCommon Vulnerability Scoring System — Standard severity rating 0.0-10.0 and call it done. PBQs may present you with a scan report and ask which finding to address first.
Scoring
Each finding is scored on whether you correctly assess its true risk level. False positive identification is tracked separately. Scenarios randomize each session.
MISSION
You've received a vulnerability scan report. Your job is to prioritize findings by actual risk — not just CVSS score.
For each finding, consider:
- Is the asset internet-facing or internal?
- What data does it handle? Is it in compliance scope?
- Is the finding even real, or is the scanner wrong?
- Does the CVSS score match the actual business risk?
HOW IT WORKS
- 1. Read the org description and understand the environment
- 2. Review each finding — asset, CVSS, description
- 3. Assign a true risk level: Critical, High, Medium, Low, or False Positive
- 4. Review your assignments, then submit for scoring