3.1 Vulnerability Management Overview

3.1 Vulnerability Management Overview

Vulnerability Management is Domain 2 of the CompTIA CySA+ CS0-003 objectives and carries 30% of the scored content - the second-heaviest domain behind Security Operations (33%). On exam day you face at most 85 questions (multiple-choice plus performance-based, or PBQs) in 165 minutes, and you need 750 on a 100-900 scale to pass. Roughly a quarter of your questions come from this domain, so missing it sinks the whole attempt.

What the domain actually covers

Objective 2.x maps to four clusters you must know cold: implementing vulnerability scanning methods and concepts (2.1), analyzing output from vulnerability assessment tools (2.2), prioritizing vulnerabilities by context (2.3), and recommending controls to mitigate attacks and software vulnerabilities (2.4-2.5).

The vulnerability management lifecycle

The exam treats vulnerability management as a repeating, five-phase loop. Memorize the order - questions about "the next step" hinge on it.

Identification is impossible without an asset inventory

A recurring exam theme: you cannot manage what you have not inventoried. Asset criticality - how essential a system is to the business - and data classification drive every downstream decision. A CVSS 9.8 on an isolated test box matters less than a CVSS 7.5 on an internet-facing payment server holding cardholder data. CySA+ rewards answers that account for context, not raw severity.

Note the loop never truly ends - a closed finding feeds the next discovery cycle, and new assets, new CVEs, and configuration drift continuously reopen work. The exam frames vulnerability management as ongoing operations, not a one-time project, which is why "establish a recurring program" beats "run a single scan" in most stems.

A note on the exam edition

This guide targets CS0-003, the current CySA+ version. CompTIA has announced a V4 successor (CS0-004) for the second half of 2026; if you sit the exam after that transition, confirm the live objective version, but the vulnerability management concepts here - lifecycle, CVSS, risk-based prioritization, and control selection - carry forward essentially unchanged. The logistics above (85 questions, 165 minutes, 750/900) describe CS0-003 specifically; always verify current numbers on CompTIA's official certification page before scheduling.

Why a structured program beats ad-hoc patching

Governance frameworks the exam references include NIST SP 800-40 (patch management), NIST SP 800-53, the CIS Controls, and regulatory drivers such as PCI DSS (which mandates quarterly internal and external scans plus a rescan after any high-risk finding). A defensible program produces an audit trail: who found the issue, who scored it, who approved the fix or the exception, and when validation closed it. Shortcut answers that skip documentation or an exception process are usually distractors.

Scanning concepts you must define

Objective 2.1 expects fluency with the vocabulary of scanning. A vulnerability scan uses signatures and plugins to detect known weaknesses without exploiting them, while a penetration test actively exploits findings to prove impact. Scope sets which assets are in bounds; frequency is how often you scan (continuous, weekly, monthly, or the PCI-mandated quarterly). Sensitivity levels tune how aggressive a scan is - a high-sensitivity scan finds more but risks more false positives and host disruption. Discovery scans map live hosts and open ports before a deeper assessment runs.

The exam also tests where you place scanners. An internal scan runs behind the firewall and reveals what an insider or a foothold attacker would see; an external scan runs from the public internet and reveals the attacker's first view. Special-purpose scans include web application scans (probing for the OWASP Top 10 - SQL injection, XSS, insecure direct object references), container image scans, and cloud configuration scans. Pick the scan whose target matches the asset class named in the stem.

Regulatory and framework drivers

Vulnerability management is not optional housekeeping; it is mandated. PCI DSS requires quarterly internal and external scans and a passing external Approved Scanning Vendor scan, plus a rescan after any high-risk fix. HIPAA requires risk analysis for systems touching protected health information. NIST SP 800-40 defines enterprise patch management, and the CIS Controls rank continuous vulnerability management among the top safeguards. When a stem names a regulation, the correct action usually aligns to that regulation's stated cadence or documentation requirement rather than the operationally convenient shortcut.

Common trap to internalize now

Do not confuse a vulnerability (a weakness), a threat (an actor or event that can exploit it), and risk (the likelihood and impact of that exploitation). Risk = threat x vulnerability x impact. The exam constantly substitutes one term for another in answer options to see if you notice. Likewise, separate a CVE (Common Vulnerabilities and Exposures - the unique identifier for a specific flaw) from a CVSS score (the severity rating attached to it) and from a CWE (Common Weakness Enumeration - the category of coding error).

A question naming CVE-2024-XXXX is pointing at one specific instance; a question about CWE-89 is pointing at the broader class of SQL injection flaws.