Vulnerability Management and Security Assessments
Finding, scoring, and remediating weaknesses before attackers exploit them.
Vulnerability management is the continuous, cyclical process of finding weaknesses, deciding which ones matter, fixing them, and proving the fix worked. On the SY0-701 exam, expect scenario questions that ask you to pick the right scan type, interpret a CVSS score, prioritize using real-world exploit data, or choose an appropriate remediation when a patch is not available. Learn the lifecycle and the vocabulary below and these questions become predictable.
Core Idea
- Vulnerability management is a lifecycle, not a one-time scan. The steps are identify, analyze, prioritize, remediate, validate, and report — then it repeats continuously.
- Prioritize by real risk, not just raw severity. Combine the CVSS score with whether the flaw is actively exploited (CISA KEV) and how exposed and critical the asset is.
- Remediation is broader than patching. When you cannot patch, you can apply compensating controls, segment the system, or formally accept the risk through a documented exception.
The Vulnerability Management Lifecycle
- Identify – discover weaknesses through vulnerability scans, penetration tests, threat feeds, bug bounty reports, and audits.
- Analyze – confirm findings are real, weed out false positives, and add context (asset value, exposure, exploitability).
- Prioritize – rank by risk using CVSS severity, exploit availability, and business impact so the most dangerous flaws are fixed first.
- Remediate – apply the fix: patch, reconfigure, add a compensating control, segment, or accept the risk.
- Validate – rescan or retest to confirm the remediation actually closed the hole.
- Report – document results, track trends, and communicate residual risk to stakeholders.
Vulnerability Scanning
- Credentialed vs. non-credentialed. A credentialed scan logs in with valid accounts, sees installed software and patch levels, and is far more accurate and detailed. A non-credentialed scan sees only what an unauthenticated attacker would see from the outside — faster and less intrusive but shallower.
- Agent vs. agentless. An agent-based scan runs software installed on each host, ideal for mobile or intermittently connected devices. Agentless scanning probes hosts over the network with nothing installed, easier to deploy but limited on offline systems.
- False positive – the scanner flags a vulnerability that is not actually present; wastes time and erodes trust. False negative – the scanner misses a real vulnerability; far more dangerous because the exposure goes unnoticed.
Penetration Testing
- Environment knowledge: known (formerly white-box) gives the tester full documentation; unknown (black-box) gives nothing, simulating an outside attacker; partially known (gray-box) provides limited information.
- Internal vs. external: an external test attacks from outside the perimeter (internet-facing); an internal test simulates an insider or an attacker who is already past the perimeter.
- Rules of engagement (ROE) define scope, timing, targets, allowed techniques, and points of contact — the written agreement that keeps testing legal and controlled. Scanning is automated and passive-leaning; a penetration test actively exploits flaws to prove real-world impact.
Scoring and Prioritization Sources
- CVE (Common Vulnerabilities and Exposures) – a unique public identifier for a specific known vulnerability (e.g., CVE-2024-1234). It names the flaw; it does not score it.
- CVSS (Common Vulnerability Scoring System) – a 0–10 numeric score. The base score reflects the intrinsic characteristics of the flaw. Severity bands: 0.1–3.9 Low, 4.0–6.9 Medium, 7.0–8.9 High, 9.0–10.0 Critical.
- CISA KEV (Known Exploited Vulnerabilities catalog) – a list of vulnerabilities confirmed to be actively exploited in the wild. A KEV entry should jump to the top of your remediation queue even if its CVSS is only medium.
Common Vulnerabilities and Remediation Options
- Common weaknesses: zero-day (no patch exists yet because the vendor is unaware), misconfiguration, unpatched systems, weak or default credentials, and end-of-life/legacy software that no longer receives updates.
- Remediation choices: patching is the primary fix; when a patch is unavailable or breaks operations, use a compensating control (e.g., a WAF or extra monitoring), segmentation to isolate the risky system, or a formal exception/exemption that documents and accepts the residual risk with sign-off.
- Responsible disclosure lets researchers privately report a flaw and gives the vendor time to fix it before public release; a bug bounty program pays researchers for valid findings, crowdsourcing discovery.
High-Yield Exam Patterns
- If a scan needs the deepest, most accurate view of patch levels, the answer is a credentialed scan.
- A vulnerability that appears in the CISA KEV catalog is being actively exploited — prioritize it first, regardless of a moderate CVSS score.
- A flaw the scanner reports that turns out not to exist is a false positive; a real flaw the scanner missed is a false negative (the more dangerous of the two).
- Rules of engagement are the correct answer whenever a question asks what defines the scope and boundaries of a penetration test.
- When a patch is not available, the exam's expected answer is a compensating control or segmentation, not "do nothing."
- Remember that CVE names a vulnerability while CVSS scores its severity — do not confuse the two.
Common Traps to Avoid
- Treating the CVSS base score as the whole story — exploit activity (KEV) and asset criticality change the true priority.
- Confusing a false negative with a false positive; the missed real vulnerability is the greater risk.
- Assuming remediation always means patching — accepting a risk via a documented exception is a valid, deliberate option.
- Mixing up known/unknown environment testing with internal/external positioning — they are two independent dimensions.
- Believing a zero-day can simply be patched immediately; by definition no vendor patch exists yet, so you rely on compensating controls.
Flashcards
Card 1 of 14
Question
What are the six stages of the vulnerability management lifecycle?
Click or press Space to reveal answer
Answer
Identify, analyze, prioritize, remediate, validate, and report — repeated continuously.
Keyboard: Space/Enter to flip • Arrow keys to navigate
Ready to Test Your Knowledge?
This quiz has 8 questions and each one has 4 options.
Quiz Details
8 Questions
Multiple choice with instant self-check
Final Review
See correct answers and explanations at the end
Build your own lesson in minutes.
Upload a source document and turn it into flashcards, quizzes, and a study-ready lesson bank.