3.2 Scanning, CVSS, and Prioritization Workflows

3.2 Scanning, CVSS, and Prioritization Workflows

The analysis half of vulnerability management lives in three skills: picking the right scan for the environment, reading the output a tool produces, and prioritizing what to fix first. The exam tests all three as applied decisions, so treat each as a workflow with a triggering cue and a defensible next step.

Choosing the right scan type

The exam loves to ask which scan fits a given environment. Match the constraint in the stem to the technique. The mistake candidates make is defaulting to the most thorough scan everywhere; the right answer balances coverage against operational risk and the specific question being asked.

Scope and frequency are driven by policy and regulation. PCI DSS requires quarterly internal and external scans plus a passing external scan by an Approved Scanning Vendor. Server-based versus agent-based is a coverage tradeoff: agents cover devices that leave the corporate network, while network scanners cover unmanaged or IoT devices that cannot host an agent.

Reading CVSS v3.1

CVSS (Common Vulnerability Scoring System) v3.1 produces a 0-10 base score from a vector string. Memorize the severity bands - they appear verbatim in questions:

Know the base metric letters. Attack Vector (AV): Network/Adjacent/Local/Physical. Attack Complexity (AC): Low/High. Privileges Required (PR): None/Low/High. User Interaction (UI): None/Required. Scope (S): Unchanged/Changed. Then Confidentiality, Integrity, Availability (C/I/A): None/Low/High. A vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H is the worst case - remotely reachable, easy, no privileges, no user clicks. The exam expects you to recognize that AV:N (network) is more dangerous than AV:L (local).

Prioritizing beyond the base score

CVSS base alone is not a risk score. Layer on context:

• Exploitability: Is there a public exploit? Is it in the CISA Known Exploited Vulnerabilities (KEV) catalog? What is the EPSS (Exploit Prediction Scoring System) probability?
• Exposure: Internet-facing beats internal at the same score.
• Asset criticality and data sensitivity: A crown-jewel database outranks a kiosk.
• Compensating controls already in place: A WAF or segmentation lowers effective risk.

Worked example: a scan shows CVSS 9.8 on an internal lab host with no sensitive data and CVSS 7.5 on an internet-facing server processing customer PII that appears in CISA KEV. Risk-based prioritization remediates the 7.5 first - exposure plus active exploitation outweigh the higher raw number.

Recognizing the major scanning tools

Objective 2.2 expects familiarity with the output of common tools, not vendor trivia, but recognizing names helps you parse a stem. Nessus, Qualys, and OpenVAS are general vulnerability scanners. Nikto and OWASP ZAP or Burp Suite target web applications. Nmap performs host discovery and port/service enumeration that feeds a scan. Prowler and Scout Suite assess cloud configuration; Trivy and Clair scan container images.

When a question describes scanner output - a plugin ID, a CVE reference, a severity column, a host/port pairing - the skill being tested is interpreting and validating that output, then deciding the next action.

Aggregation, deduplication, and correlation

Large environments generate thousands of findings, many duplicated across overlapping scans. Analysts aggregate results into a single view, deduplicate the same CVE reported on the same asset, and correlate with asset inventory and threat intel before reporting. A raw 40,000-line scan export is not a remediation plan; the analyst's job is to compress it into a ranked, validated, context-aware list. Distractors that say "forward the full scan report to system owners" miss this analysis step that adds the value.

Threat intelligence as a prioritization input

CySA+ wants you to fuse scan data with threat intelligence. The CISA Known Exploited Vulnerabilities (KEV) catalog lists flaws confirmed to be exploited in the wild - presence in KEV should jump a finding to the front of the queue regardless of its base score. EPSS (Exploit Prediction Scoring System) assigns a 0-1 probability that a vulnerability will be exploited in the next 30 days; a CVSS 6.0 with a 0.92 EPSS may outrank a CVSS 8.0 with a 0.02 EPSS. Vendor advisories, ISACs, and open-source intelligence feeds round out the picture.

The exam-correct instinct: severity tells you how bad it could be, threat intelligence tells you how likely it is to happen now.

Temporal and environmental metrics

Beyond the base score, CVSS adds temporal metrics (exploit code maturity, remediation level, report confidence) that adjust the score as the situation evolves, and environmental metrics that let an organization re-weight C/I/A and modify base metrics to reflect its own context. A flaw with no public exploit and an official patch has a lower temporal score than the same flaw with weaponized exploit code and no fix. When a question mentions "adjusting the score for our specific environment," the answer is the environmental metric group, not a fresh base recalculation.

False positives and false negatives

Validate findings before action. A false positive wastes remediation effort and erodes trust in the program; a false negative leaves a real hole that the report falsely shows as clean. Cross-reference scanner output against the asset's actual configuration, installed-software inventory, vendor advisories, and a second tool when stakes are high. Credentialed scans cut false positives sharply because the scanner reads the true patch level instead of inferring it from banners. Documenting why a finding was dismissed as a false positive is part of the audit trail - an undocumented dismissal is itself a finding in an audit.