CompTIA CySA+ Practice Questions: Vulnerability Management

11 free, exam-style CompTIA CySA+ (CS0-003) practice questions covering Vulnerability Management. Each question shows the correct answer and a clear explanation. Ready for the real thing? Take the full timed quiz below.

🚀 Take the full CompTIA CySA+ quiz 📘 CompTIA CySA+ study guide

Q1. What does CVSS stand for? (Q-924433)

Explanation: CVSS rates the severity of vulnerabilities. Learn more.

Q2. Which of the following is a characteristic of a zero-day vulnerability? (Q-924440)

Explanation: Zero-day vulnerabilities are unknown to the vendor and have no available fix when first exploited. Learn more.

Q3. What is the PRIMARY purpose of a vulnerability scan? (Q-627ffe)

Explanation: Vulnerability scans identify unpatched systems, misconfigurations, and other weaknesses. Learn more.

Q4. During a vulnerability scan, you identify multiple systems with missing KB patches. What is the BEST approach to prioritize remediation?

Explanation: Remediation should consider both vulnerability severity and business impact of affected systems. Learn more.

Q5. What type of vulnerability scan authenticates to the target system to provide a more detailed assessment?

Explanation: Credentialed scans log in to the target system, allowing them to check configuration settings and missing patches more accurately. Learn more.

Q6. Which factor should raise the priority of a vulnerability finding?

Explanation: Exploitability, exposure, and asset criticality are key inputs when prioritizing remediation. Learn more.

Q7. Which remediation step verifies that a patch actually reduced exposure?

Explanation: Validation scanning confirms whether the remediation removed or reduced the vulnerability. Learn more.

Q8. A vulnerability has a high CVSS score but exists only on a decommissioned host. What should influence prioritization?

Explanation: Risk-based prioritization considers severity along with asset criticality, exposure, and operational context. Learn more.

Q9. Which vulnerability scan result most likely needs manual validation before reporting as exploitable?

Explanation: Unauthenticated banner findings can be inaccurate and should be validated before high-confidence reporting. Learn more.

Q10. What should be included in a remediation ticket for a vulnerable server?

Explanation: Actionable remediation tickets define what to fix, why it matters, who owns it, when it is due, and how closure is verified. Learn more.

Q11. Which vulnerability management metric tracks how long findings remain unresolved?

Explanation: Mean time to remediate measures how quickly vulnerabilities are resolved after detection. Learn more.

More CompTIA CySA+ practice topics