CySA+ (v3)

Vulnerability Management

Covering vulnerability scanning strategy, assessment output analysis, prioritization, mitigation controls, and response workflows.

30% Exam Weight

Exam focus areas

Objective summary: Covering vulnerability scanning strategy, assessment output analysis, prioritization, mitigation controls, and response workflows.
Vulnerability scanning: Implementing asset discovery, internal vs. external scanning, agent vs. agentless, credentialed vs. non-credentialed, passive vs. active, static vs. dynamic, and critical infrastructure scanning.
Assessment tool output: Analyzing network scanning, web application scanners, vulnerability scanners, debuggers, multipurpose tools, and cloud infrastructure assessments.
Vulnerability prioritization: Interpreting CVSS, validating findings, assessing exploitability, and considering asset value and zero-day vulnerabilities.
Mitigation controls: Recommending controls for XSS, overflow vulnerabilities, and data poisoning.
Vulnerability response: Explaining compensating controls, patching, configuration management, maintenance windows, exceptions, governance, SLOs, secure SDLC, and threat modeling.

Domain deep dive

Expanded domain guidance for scanning strategy, analysis quality, risk-based prioritization, and remediation governance.

CS0-003 Coverage Checklist (2.1-2.5)

Direct objective coverage from the CompTIA CS0-003 vulnerability management domain.

2.1 Scanning methods and concepts: asset discovery (map scans, device fingerprinting), special considerations (scheduling, operations, performance, sensitivity, segmentation, regulatory requirements), internal vs. external, agent vs. agentless, credentialed vs. non-credentialed, passive vs. active, static vs. dynamic including reverse engineering and fuzzing, critical infrastructure (OT, ICS, SCADA), security baseline scanning, and industry frameworks (PCI DSS, CIS benchmarks, OWASP, ISO 27000 series).
2.2 Tool output analysis: network mapping (Angry IP Scanner, Maltego), web scanners (Burp Suite, ZAP, Arachni, Nikto), vulnerability scanners (Nessus, OpenVAS), debuggers (Immunity Debugger, GDB), multipurpose tools (Nmap, Metasploit, Recon-ng), and cloud infrastructure assessment (Scout Suite, Prowler, Pacu).
2.3 Prioritization: CVSS interpretation (attack vectors, complexity, privileges, user interaction, scope, confidentiality/integrity/availability impact), validation (true/false positives and negatives), context (internal/external/isolated), exploitability/weaponization, asset value, and zero-day handling.
2.4 Mitigation controls: cross-site scripting (reflected/persistent), overflow vulnerabilities (buffer/integer/heap/stack), data poisoning, broken access control, cryptographic failures, injection flaws, CSRF, directory traversal, insecure design, security misconfiguration, end-of-life components, identification/authentication failures, SSRF, RCE, privilege escalation, and LFI/RFI.
2.5 Response and management: compensating controls, control types (managerial/operational/technical, preventative/detective/responsive/corrective), patching/configuration management (testing, implementation, rollback, validation), maintenance windows, exceptions, risk treatment (accept/transfer/avoid/mitigate), policy/governance/SLO alignment, prioritization/escalation, attack surface management, secure coding practices, secure SDLC, and threat modeling.

2.1 Vulnerability Scanning

Configure and execute scans with scope, quality, and operational impact in mind.

Scanning Methods

Credentialed versus non-credentialed scanning trade-offs for depth and accuracy.
Agent-based versus agentless deployment and coverage trade-offs.
Active versus passive discovery across network, host, and application layers.
Internal and external scan perspectives across perimeter and internal zones.

Scan Configuration

Use policy templates for compliance, full audit, and discovery workflows.
Align schedules with maintenance windows and business availability constraints.
Manage scope with asset groups, exclusions, and credential rotation.
Keep plugins and signatures current to reduce stale findings.

2.2 Assessment Output Analysis

Interpret findings accurately and validate true risk and exploitability.

Use CVSS base, temporal, and environmental metrics appropriately.
Correlate CVE and vendor advisories with affected asset context.
Map weakness classes through CWE to guide remediation patterns.
Identify and triage false positives and false negatives through validation.
Track trend quality through scan-over-scan regression and SLA performance.

2.3 Vulnerability Prioritization

Rank findings by business and threat context, not severity alone.

Factor	Considerations
Asset Criticality	Business impact, data classification, regulatory scope, and dependency mapping.
Exploitability	Known exploit activity, EPSS and maturity signals, and public proof of concept availability.
Exposure	Internet exposure, segmentation boundaries, and compensating controls.
Threat Context	Active campaigns, sector targeting, and intelligence relevance.
Remediation Complexity	Patch availability, downtime constraints, testing dependencies, and change lead time.

2.4 Mitigation Controls

Select remediation, hardening, or compensating actions based on risk and feasibility.

Patch and firmware update workflows with pre-test and rollback strategy.
Configuration hardening using security baselines and benchmark guidance.
Compensating controls such as WAF, virtual patching, segmentation, and access restrictions.
Risk acceptance through documented, time-bounded exceptions and approvals.
Protective controls such as IPS signatures and endpoint prevention rules.

2.5 Vulnerability Response and Validation

Track remediation from assignment to verified closure and reporting.

Use workflow automation for ticketing, ownership, SLA tracking, and escalation.
Rescan and validate closure criteria to prevent false closure outcomes.
Maintain exception governance and recurring review for risk acceptance.
Report consistently for executive, operational, and compliance audiences.
Integrate with change management and maintenance window controls.

Key concepts

CVSS base, temporal, and environmental scoring
EPSS and exploit context
CVE, CWE, and NVD usage
Credentialed versus non-credentialed scans
Compensating controls and virtual patching
Exception and risk acceptance governance

Study tips

Practice manual CVSS scoring using realistic vulnerabilities.
Compare output and workflow differences across major scanner tools.
Triaging large scan reports into actionable remediation waves.
Map remediation tasks to change management lifecycle controls.