What is the difference between a vulnerability scan and a penetration test?

Scanning is automated and identifies known vulnerabilities. Pen testing is manual, actively exploits vulnerabilities, and requires written authorization. Scans find; pen tests prove exploitability.

What is CVSS and how is it used?

CVSS rates vulnerabilities 0-10 based on attack vector, complexity, privileges, user interaction, scope, and CIA impact. Critical: 9.0-10.0, High: 7.0-8.9, Medium: 4.0-6.9, Low: 0.1-3.9.

What vulnerability scanning types should I know?

Credentialed (authenticated, deeper), non-credentialed (external view), internal, external, agent-based (endpoint software), and passive (traffic monitoring). Know capabilities and use cases.

How should vulnerabilities be prioritized for remediation?

Use CVSS score, asset criticality, exploit availability, network exposure, compensating controls, and business impact. A medium vuln on a critical public server may be more urgent than a critical on an isolated test box.

CompTIA Security+ Vulnerability Management Practice Questions 2026

Vulnerability management is a continuous process that identifies, classifies, prioritizes, and remediates security weaknesses before attackers exploit them. On the CompTIA Security+ exam, this topic tests scanning technologies, assessment methodologies, CVSS scoring, remediation strategies, and the patch management lifecycle. Mastering vulnerability management means understanding not just how to find weaknesses, but how to prioritize and fix them while balancing security with business operations.

Exam Weight: Tested across Domain 4 (Security Operations, 28%) and Domain 1 (General Security Concepts, 12%)

What Is Vulnerability Management on the Security+ Exam?

Vulnerability management is the systematic practice of identifying, evaluating, treating, and reporting on security vulnerabilities. Unlike one-time assessments, it's a continuous lifecycle — scan environments regularly, prioritize findings, apply remediations, and verify fixes in an ongoing cycle.

The exam covers vulnerability scanning using automated tools to discover known issues by comparing configurations against CVE databases. Vulnerability assessment evaluates business context and potential impact. Penetration testing actively attempts exploitation to prove real-world impact. Understanding when to use each approach is essential.

The exam also tests CVSS scoring for severity classification, remediation prioritization strategies that go beyond raw severity scores, patch management processes, and the relationship between vulnerability management and compliance requirements like PCI-DSS quarterly scanning.

Why Vulnerability Management Matters for Security+

The vast majority of successful cyberattacks exploit known vulnerabilities with existing patches. Organizations with rigorous vulnerability management programs experience significantly fewer breaches. The exam validates that certified professionals understand how to build and operate these programs effectively.

Compliance frameworks mandate vulnerability management: PCI-DSS requires quarterly ASV scans, HIPAA requires regular risk assessments, and NIST includes it as a core Protect function. Understanding how vulnerability management supports compliance is heavily tested.

In practice, vulnerability management is one of the most common responsibilities for Security+ certified professionals. SOC analysts triage scan results, security administrators coordinate patching, and security engineers design scanning architectures. Understanding the complete lifecycle is essential for job readiness.

Key Vulnerability Management Concepts to Master

Vulnerability Scanning

Credentialed (authenticated, deeper visibility), Non-credentialed (external attacker view), Internal (from trusted network), External (from internet), Agent-based (endpoint software for remote devices), Passive (traffic monitoring, no active probing). Know capabilities, accuracy trade-offs, and when to use each.

CVSS Scoring

Base Score (0-10): Attack Vector, Complexity, Privileges, User Interaction, Scope, CIA Impact. Temporal Score adjusts for exploit maturity and patches. Environmental Score adjusts for organizational context. Critical: 9.0-10.0, High: 7.0-8.9, Medium: 4.0-6.9, Low: 0.1-3.9.

Penetration Testing

Black box (no prior knowledge), White box (full access), Gray box (partial knowledge). Requires rules of engagement, scope, and written authorization. Phases: recon → scanning → exploitation → post-exploitation → reporting. Proves exploitability beyond what scans detect.

Patch Management

Identify patches → Test in staging → Approve via change management → Deploy (phased rollout) → Verify installation → Document. Emergency/zero-day patches may follow accelerated procedures. Rollback plans essential when patches cause issues.

Remediation Prioritization

CVSS score alone isn't enough. Consider: asset criticality (production DB vs. test server), exploit availability (public PoC?), exposure (internet-facing vs. internal), compensating controls (IPS/WAF mitigation), and business impact. Risk-based prioritization outperforms severity-only approaches.

False Positives and Validation

Scanners produce false positives (reported but non-existent) and false negatives (missed real vulns). Validate critical findings through manual testing, credentialed rescans, or pen testing. Tuning configurations reduces both. High false positive rates waste analyst time; false negatives create blind spots.

Sample Vulnerability Management Questions

Question 1: Scan Type Selection

A team needs to identify missing patches on Windows servers with maximum accuracy. Which scan type?

A) Non-credentialed external B) Credentialed internal C) Passive network D) Port scan

Answer: B) Credentialed internal — Authenticates to systems, checking installed patches and configurations directly. Non-credentialed only sees network-visible information. Passive monitors traffic. Port scans identify open ports, not vulnerabilities.

Question 2: Remediation Priority

Scan results: (A) Critical CVSS 9.8 on internal test server, (B) High CVSS 7.5 on internet-facing production database. Which first?

A) Test server (higher CVSS) B) Production database (higher risk) C) Both simultaneously D) Neither

Answer: B) Production database — Despite lower CVSS, the internet-facing production database has higher actual risk due to exposure and business criticality. Risk-based prioritization considers CVSS, exposure, asset value, and impact — not severity alone.

Question 3: Pen Test vs. Vuln Scan

Management wants proof a vulnerability can be exploited to access customer data. Which assessment type?

A) Vulnerability scan B) Compliance audit C) Penetration test D) Risk assessment

Answer: C) Penetration test — Only pen testing actively exploits vulnerabilities to prove real-world impact. Scans identify but don't exploit. Audits check against standards. Risk assessments evaluate theoretically.

Question 4: Patch Management

A critical zero-day vulnerability is announced affecting production web servers. What should be done FIRST?

A) Deploy the patch immediately to production B) Implement compensating controls while testing the patch C) Wait for the vendor's next scheduled update D) Disable the affected servers

Answer: B) Implement compensating controls while testing — Even for zero-days, deploying untested patches to production risks outages. Implement compensating controls (WAF rules, IPS signatures, network restrictions) immediately while testing the patch in staging. This balances security urgency with operational stability.

Common Mistakes to Avoid

✗ Confusing vulnerability scanning (automated, identifies) with penetration testing (manual, exploits) — scans find, pen tests prove
✗ Prioritizing by CVSS alone — a Critical on an isolated test system may be less urgent than a High on a public production server
✗ Deploying patches to production without testing — always test in staging first with rollback plans
✗ Treating all scan results as accurate — validate critical findings; false positives waste time, false negatives create blind spots
✗ Forgetting pen testing requires written authorization — testing without permission is illegal regardless of intent

Study Checklist for Vulnerability Management

☑ Compare credentialed vs. non-credentialed vulnerability scans
☑ Explain CVSS base, temporal, and environmental scoring
☑ Differentiate vulnerability scanning, assessment, and pen testing
☑ Describe the complete patch management lifecycle
☑ Explain risk-based remediation prioritization
☑ Know pen test types: black, white, gray box with use cases
☑ Understand CVE, CWE, and NVD vulnerability databases
☑ Explain false positives, false negatives, and validation methods
☑ Review compliance scanning requirements (PCI-DSS ASV)
☑ Understand bug bounty programs and responsible disclosure

Frequently Asked Questions

How many vulnerability management questions are on the exam?

Spans Domain 4 (28%) and Domain 1 (12%). Expect 8-12 questions on scanning, CVSS, remediation, and patching.

Vulnerability scan vs. penetration test?

Scanning: automated, identifies. Pen testing: manual, exploits, requires authorization. Scans find; pen tests prove.

What is CVSS?

Scores vulnerabilities 0-10 on attack vector, complexity, privileges, interaction, scope, and CIA impact. Critical: 9.0-10.0.

What scan types should I know?

Credentialed, non-credentialed, internal, external, agent-based, passive. Know capabilities and when to use each.

How to prioritize remediation?

CVSS + asset criticality + exploit availability + exposure + compensating controls + business impact. Risk-based, not severity-only.

What is patch management?

Identify → test → approve → deploy → verify → document. Test in staging first. Have rollback plans. Most breaches exploit known, patchable vulns.

Practice Vulnerability Management Questions Now

Our Smart Practice practice tests generate unlimited vulnerability management questions for the CompTIA Security+ exam. Get instant feedback with detailed explanations.

Start Free Practice Test →