🔍 Vulnerability Management - CYSA Practice Questions

Learn vulnerability scanning, assessment, prioritization, and remediation workflows.

19Questions Available
1Exam Domains

Practice Vulnerability Management Questions Now

Start a timed practice session focusing on Vulnerability Management topics from the CYSA question bank.

Start CYSA Practice Quiz →

CYSA Vulnerability Management Question Bank (19 Questions)

Browse all 19 practice questions covering Vulnerability Management for the CYSA certification exam. Each question includes the full answer and a detailed explanation to help you understand the concepts.

  1. Question 1Vulnerability Management

    After running a vulnerability scan, the analyst discovers that several servers are missing a critical patch released two weeks ago. What should be the FIRST step in the remediation process?

    AImmediately apply the patch to all servers simultaneously
    BValidate the finding, assess the risk, and prioritize remediation based on asset criticality and exposure
    CIgnore the finding until the next quarterly patch cycle
    DDisable the affected service on all servers
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Before applying patches, analysts should validate the scan findings, assess the risk based on exploitability and asset criticality, and prioritize remediation. Patching all systems simultaneously without testing could cause widespread outages.

  2. Question 2Vulnerability Management

    An organization has limited patching resources and must prioritize. Which approach BEST combines vulnerability severity with asset context to determine remediation priority?

    APatch all systems alphabetically by hostname
    BUse a risk-based approach that considers CVSS score, asset criticality, exploit availability, and network exposure
    COnly patch systems that users complain about
    DApply patches only to development systems first
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Risk-based vulnerability management prioritizes remediation by considering multiple factors: vulnerability severity (CVSS), asset value/criticality, whether exploits exist in the wild, and network exposure. This ensures the highest-risk items are addressed first.

  3. Question 3Security Operations

    A security analyst runs a vulnerability scan and receives results showing a critical vulnerability on a server. Upon manual verification, the vulnerability does not actually exist. What is this called?

    ATrue positive
    BFalse negative
    CFalse positive
    DTrue negative
    Show Answer & Explanation
    Correct Answer: C
    Explanation:

    A false positive occurs when a scanner reports a vulnerability that does not actually exist. Analysts must validate critical findings to distinguish false positives from true positives before initiating remediation.

  4. Question 4Security Operations

    Which type of vulnerability scan uses credentials to log into target systems and provides a more thorough assessment of installed software and configurations?

    APassive scan
    BNon-credentialed scan
    CCredentialed (authenticated) scan
    DDiscovery scan
    Show Answer & Explanation
    Correct Answer: C
    Explanation:

    Credentialed scans authenticate to the target system, allowing the scanner to examine installed software versions, configurations, and registry settings. This produces more accurate results with fewer false positives than non-credentialed scans.

  5. Question 5Security Operations

    An organization needs to scan a production web application for vulnerabilities without causing service disruption. Which type of scan is MOST appropriate?

    AActive exploitation scan
    BNon-intrusive vulnerability scan
    CPenetration test with full exploitation
    DDenial-of-service resilience test
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    A non-intrusive vulnerability scan identifies potential vulnerabilities without attempting exploitation, minimizing the risk of service disruption. Active exploitation and penetration testing may cause outages and should be carefully scheduled.

  6. Question 6Security Operations

    Which protocol is commonly used by vulnerability scanners to perform credentialed scans on Windows systems?

    ASNMP
    BWMI/WinRM
    CTFTP
    DSCP
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    WMI (Windows Management Instrumentation) and WinRM (Windows Remote Management) are the standard protocols used by vulnerability scanners for authenticated/credentialed scanning of Windows systems, providing deep access to system configuration and software inventory.

  7. Question 7Vulnerability Management

    Which type of vulnerability scan is BEST suited for identifying web application vulnerabilities such as SQL injection and cross-site scripting?

    ANetwork infrastructure scan
    BDynamic Application Security Testing (DAST)
    CHost-based compliance scan
    DWireless network scan
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    DAST tools scan running web applications by sending crafted requests and analyzing responses to identify vulnerabilities like SQL injection, XSS, and CSRF. Network scans focus on infrastructure, and host-based scans focus on configurations.

  8. Question 8Vulnerability Management

    An analyst notices that a vulnerability scanner reports different results depending on whether the scan is run during business hours vs. after hours. What is the MOST likely cause?

    AThe scanner software is outdated
    BHost-based firewalls or endpoint protection are blocking the scanner during certain hours
    CSystems that are powered off after hours are not scanned, and laptops on during business hours may have different profiles
    DVulnerability definitions change every hour
    Show Answer & Explanation
    Correct Answer: C
    Explanation:

    Scan timing affects results because laptops and workstations may be powered off outside business hours, and network-connected devices vary throughout the day. Running scans at different times and combining results provides the most complete coverage.

  9. Question 9Vulnerability Management

    Which of the following vulnerability scanning approaches tests an application's source code without executing it?

    ADynamic Application Security Testing (DAST)
    BStatic Application Security Testing (SAST)
    CPenetration testing
    DFuzz testing
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    SAST analyzes source code, bytecode, or binary code without executing the application, identifying vulnerabilities like hardcoded credentials, injection flaws, and insecure coding patterns. DAST tests running applications, and fuzzing sends malformed input.

  10. Question 10Vulnerability Management

    A security analyst is tasked with scanning a sensitive SCADA/ICS environment. Which precaution is MOST important?

    AUse the most aggressive scan settings for thorough coverage
    BUse passive scanning techniques and carefully configured non-disruptive scans, coordinating with OT staff
    CScan during peak production hours for the most realistic results
    DUse the same scan profile as the corporate IT network
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    SCADA/ICS systems are often fragile and may crash or malfunction under active scanning. Passive scanning, carefully tuned scan profiles, and coordination with OT engineers are critical to avoid disrupting industrial operations.

  11. Question 11Vulnerability Management

    What is the PRIMARY difference between an agent-based and an agentless vulnerability scan?

    AAgent-based scans can only run on Windows systems
    BAgent-based scans install software on the target that performs local assessment, while agentless scans probe targets remotely over the network
    CAgentless scans are always more accurate than agent-based
    DAgent-based scans do not require authentication
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Agent-based scanning installs a lightweight agent on each target system that performs local assessments and reports back. Agentless scanning probes targets remotely using network protocols and credentials. Agents provide continuous monitoring; agentless is easier to deploy initially.

  12. Question 12Vulnerability Management

    Which vulnerability prioritization framework, developed by FIRST, provides a decision-tree-based approach that considers exploitation status, technical impact, and mission prevalence to produce actionable remediation priorities?

    ACVSS
    BSSVC (Stakeholder-Specific Vulnerability Categorization)
    COWASP Risk Rating
    DDREAD
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    SSVC uses decision trees that consider exploitation status (active, proof-of-concept, none), technical impact, and mission prevalence to categorize vulnerabilities into actionable priorities (Act, Attend, Track, Track*). It provides more context than CVSS alone.

  13. Question 13Select All That ApplyVulnerability Management

    An organization performs a vulnerability assessment and identifies 500 vulnerabilities. The CISO asks for a risk-based prioritization. Which combination of factors should the analyst use? (Choose two.)

    ACVSS base score and exploit availability
    BThe color of the vulnerability report
    CAsset criticality and business impact
    DThe number of pages in the scan report
    Show Answer & Explanation
    Correct Answers: A, C
    Explanation:

    Risk-based prioritization combines technical severity (CVSS score, exploit availability) with business context (asset criticality, data sensitivity, business impact). These factors together determine which vulnerabilities pose the greatest organizational risk.

  14. Question 14Vulnerability Management

    A vulnerability in a DMZ-facing web server has a known public exploit available on Exploit-DB. A similar vulnerability on an internal-only server has no known exploit. How should this affect prioritization?

    ABoth should be treated identically
    BThe DMZ server should be prioritized higher due to exposure and exploit availability
    CThe internal server should be prioritized higher
    DNeither needs remediation since both have compensating controls
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Exploit availability significantly increases the likelihood of exploitation. Combined with the DMZ server's direct internet exposure, this vulnerability represents a much higher risk than a similar unexploitable vulnerability on an internal system.

  15. Question 15Vulnerability Management

    A vulnerability has a CVSS v3.1 base score of 9.8 with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. What does 'AV:N' indicate?

    AThe attack requires physical access
    BThe attack vector is network-based, exploitable remotely
    CThe attack requires adjacent network access
    DThe attack is limited to local access only
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    AV:N (Attack Vector: Network) means the vulnerability is exploitable over the network without requiring physical, adjacent, or local access. Combined with AC:L (low complexity) and PR:N (no privileges), this indicates a highly exploitable remote vulnerability.

  16. Question 16Vulnerability Management

    A scan reveals CVE-2024-XXXX (CVSS 7.5) on an internet-facing payment processing server and CVE-2024-YYYY (CVSS 9.1) on an isolated test server with no sensitive data. Which should be remediated FIRST?

    AThe test server because it has a higher CVSS score
    BThe payment processing server because of its asset criticality and exposure despite the lower CVSS
    CNeither — wait for the next scheduled maintenance window
    DBoth simultaneously with no testing
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Risk-based prioritization considers asset criticality and exposure. The internet-facing payment server handles sensitive data and is directly exposed, making it a higher overall risk despite the lower CVSS score. The isolated test server poses minimal business risk.

  17. Question 17Vulnerability Management

    A vulnerability with CVSS base score of 4.3 is discovered on a server containing highly regulated healthcare data (ePHI). Using the CVSS environmental metrics, how would the adjusted score likely change?

    AThe score would decrease because the data is encrypted
    BThe score would likely increase because the confidentiality requirement is high for ePHI systems
    CThe score would not change because environmental metrics don't exist
    DThe score would become zero because HIPAA provides automatic protection
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    CVSS environmental metrics allow organizations to adjust scores based on their specific context. A system handling ePHI has high confidentiality requirements, which would increase the environmental score above the base score of 4.3.

  18. Question 18Vulnerability Management

    After deploying a patch, the security team should perform which of the following to confirm the vulnerability has been successfully remediated?

    AWait for the next scheduled quarterly scan
    BRun a targeted rescan of the patched systems to verify the vulnerability is no longer detected
    CAsk the system administrator if they feel the patch worked
    DCheck the vendor's website for the patch release notes only
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Post-remediation verification through targeted rescanning confirms that patches were successfully applied and vulnerabilities are no longer present. This closes the remediation loop and provides documented evidence of risk reduction.

  19. Question 19Vulnerability Management

    Which CVSS metric group accounts for the real-world availability of exploit code and the existence of official patches?

    ABase metric group
    BTemporal metric group
    CEnvironmental metric group
    DSupplemental metric group
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    The temporal metric group adjusts the base score based on factors that change over time, including exploit code maturity, remediation level (official fix, workaround, unavailable), and report confidence. The environmental group adjusts for organization-specific factors.

Key Vulnerability Management Concepts for CYSA

vulnerabilityscanningcvsspatchremediationrisk assessment

CYSA Vulnerability Management Exam Tips

Vulnerability Management questions in CYSA are typically scenario-based. Focus on service-level decision making aligned to official exam objectives. Priority concepts: vulnerability, scanning, cvss, patch, remediation, risk assessment.

What CYSA Expects

  • Anchor your answer in select the most practical, secure, and scalable answer for the stated scenario.
  • Vulnerability Management scenarios for CYSA are frequently mapped to Domain 2 (30%), so read the objective carefully before picking controls or architecture.
  • Expect multi-service scenarios where Vulnerability Management interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated service question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Professional) and managed-service best practices.

High-Value Vulnerability Management Concepts

  • Know the core Vulnerability Management building blocks cold: vulnerability, scanning, cvss, patch.
  • Review the edge-case features and limits for remediation, risk assessment; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how Vulnerability Management pairs with Security Operations, Incident Response in real deployment patterns.
  • For CYSA, explain why the chosen Vulnerability Management design meets reliability, security, and cost expectations better than the alternatives.

Common CYSA Traps

  • Watch for answers that partially solve the requirement but miss operational constraints.
  • Questions in Vulnerability Management often include distractors that look correct for Vulnerability Management but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two Vulnerability Management implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Vulnerability Management (30%) outcomes for CYSA?
  • Can you explain security and access boundaries for Vulnerability Management without relying on default-open assumptions?
  • Can you describe how Vulnerability Management integrates with Security Operations and Incident Response during failure, scaling, and monitoring events?

Exam Domains Covering Vulnerability Management

Domain 2Vulnerability Management30%

Related Resources

🎯 Free CYSA Mock Exam📝 Security Operations Questions📝 Incident Response Questions

More CYSA Study Resources

← CYSA Study Hub30-Day Study PlanFull Practice Exam