CompTIA CySA+ (CS0-003): Vulnerability Management and Scanning
Table of Contents
Click Here to Return To the CompTIA CySA+ Course Page
Vulnerability Management is 30% of the CompTIA CySA+ (CS0-003) exam. This module teaches you to find weaknesses, score them, prioritize the ones that matter, and verify the fix. Finding vulnerabilities is easy, but prioritizing them well is the skill that separates analysts.
The Vulnerability Management Lifecycle
Run a continuous loop, not a one-time scan:
- Discover assets and build an inventory
- Scan for vulnerabilities
- Analyze and prioritize results
- Remediate through patching or controls
- Validate the fix with a rescan
- Report and repeat
A vulnerability program is only as complete as your asset inventory, since you cannot scan what you do not know about.
Scanning Types and Configuration
Configure scans with tools such as Nessus, Qualys, and OpenVAS.
- An authenticated (credentialed) scan logs in and sees missing patches and weak configs with high accuracy
- An unauthenticated scan sees only what an outside attacker sees
- Agent-based scanning suits mobile and cloud hosts that are rarely on the network
Scan scope, schedule, and credentials all change the result. Run heavy scans in maintenance windows, since aggressive scanning can crash fragile devices such as OT and medical equipment.
Reading Scan Results: CVE, CVSS, CWE
Three reference systems describe vulnerabilities:
- CVE gives each known vulnerability a unique ID, for example CVE-2021-44228 (Log4Shell)
- CVSS scores severity from 0.0 to 10.0 using base, temporal, and environmental metrics
- CWE classifies the underlying weakness type, for example CWE-89 (SQL injection)
| CVSS Score | Rating |
|---|---|
| 9.0 - 10.0 | Critical |
| 7.0 - 8.9 | High |
| 4.0 - 6.9 | Medium |
| 0.1 - 3.9 | Low |
You separate true positives from false positives by validating findings against the actual system, since scanners guess from version banners.
Prioritization Beyond the Score
A raw CVSS score is not a priority. Weigh three factors together:
- Severity (CVSS base score)
- Asset criticality (an internet-facing database beats an internal test box)
- Exploitability (is there a public exploit, and is it being used now)
The Exploit Prediction Scoring System (EPSS) and threat intelligence on active exploitation refine the order. A medium-CVSS vulnerability under active mass exploitation outranks a high-CVSS one with no known exploit.
Remediation Options
Patching is not your only tool:
- Patch to remove the flaw
- Configuration change to disable the vulnerable feature
- Compensating control such as a WAF rule or network segmentation when you cannot patch
- Risk acceptance with documented sign-off when the cost outweighs the risk
Track each finding to closure, then run a validation scan to confirm the fix.
Web Application Vulnerabilities
Web apps expose the largest attack surface. Know the common flaws and how they show up:
- SQL injection (CWE-89): input reaches a query unfiltered, for example
' OR '1'='1 - Cross-site scripting (XSS): input is reflected into a page and runs as script
- Cross-site request forgery (CSRF): a forged request rides a logged-in session
Reference the OWASP Top 10 for the broader list, and use software composition analysis (SCA) to find vulnerable third-party libraries, which is how Log4Shell spread.
Specialized Environments
Apply vulnerability management beyond servers:
- Cloud: misconfigurations and exposed services, checked with CSPM
- Mobile: outdated OS versions and risky apps
- OT/ICS: passive assessment only, since active scans disrupt control systems
Recognize zero-day vulnerabilities, which have no patch, and respond with compensating controls and tighter monitoring.
Secure Configuration Baselines
Prevent vulnerabilities by hardening to a baseline:
- CIS Benchmarks provide consensus hardening guides per platform
- DISA STIGs provide stricter government baselines
A scanned-and-patched system on a weak baseline is still soft, so combine patching with hardening.
Next Steps
Vulnerability data informs both Security Operations detection and Incident Response . Communicate findings through Reporting and Communication . Return to the CompTIA CySA+ Course .
