Vulnerability Management and Scanning Explained for Security+

Finding vulnerabilities is not enough. Organizations that scan their environment and produce a report, then file it away, are no more secure than before they scanned. Vulnerability management is the continuous process of identifying weaknesses, prioritizing them based on real risk, and actually fixing them before attackers exploit them. Security+ SY0-701 tests the difference between vulnerability scanning and penetration testing, the CVSS scoring system and what its numbers mean, and how to prioritize what gets fixed first. These questions appear in scenario format and test whether you know the correct next step given specific findings.

7 min

3 sections · 6 exam key points

Vulnerability scanning

A vulnerability scanner probes systems to identify known weaknesses: unpatched software, misconfigured services, default credentials, unnecessary open ports. It checks findings against a database of known vulnerabilities and reports them with severity ratings. Critically, a scanner does not exploit the vulnerabilities it finds. It identifies potential exposure, not confirmed exploitability.

Credentialed scans log into target systems with valid credentials and see what an authenticated user sees: installed software versions, service configurations, patch levels, user accounts. They find far more issues than unauthenticated scans. Non-credentialed scans see only what an external attacker without credentials would see: open ports, banner information, detectable services. They are faster and require less access but miss most internal vulnerabilities.

Active scanning sends probes directly to targets and can be detected. Passive scanning observes existing network traffic without sending probes, creating no detection risk but missing vulnerabilities not visible in traffic. Common scanning tools include Nessus, Qualys, Rapid7 InsightVM, and the open-source OpenVAS.

CVSS scoring and prioritization

CVSS (Common Vulnerability Scoring System) provides a standardized 0-10 scale for rating vulnerability severity. The score ranges: 0 is None, 0.1 to 3.9 is Low, 4.0 to 6.9 is Medium, 7.0 to 8.9 is High, and 9.0 to 10.0 is Critical. A CVE-2021-44228 (Log4Shell) scored 10.0 because it was remotely exploitable, required no authentication, no user interaction, and had full impact on confidentiality, integrity, and availability.

CVSS base score factors include Attack Vector (Network is worse than Local), Attack Complexity (Low is worse than High), Privileges Required, User Interaction, and the Confidentiality, Integrity, and Availability impact ratings. A vulnerability exploitable over the network with no authentication and full system impact will always score higher than a local privilege escalation requiring an existing user account.

CVSS scores alone are insufficient for prioritization. A Critical-rated vulnerability on an isolated test server is less urgent than a High-rated one on your internet-facing payment processing system. Real prioritization adds asset criticality, network exposure, presence of a known public exploit, and whether compensating controls already reduce the risk.

How to choose the correct answer

Vulnerability scan vs penetration test: scan = automated, non-exploiting, identifies potential weaknesses, run frequently. Pen test = human tester actively exploits vulnerabilities, demonstrates actual impact, run periodically. Knowing that a vulnerability exists is different from proving it is exploitable and knowing what an attacker could do with it.

Credentialed vs non-credentialed: credentialed finds more internal weaknesses, shows what a compromised insider could see. Non-credentialed shows external attacker view. For a comprehensive assessment, both are used.

CVE: the unique identifier for a specific known vulnerability. NVD: the database (National Vulnerability Database) that hosts CVE details including CVSS scores. They are different things.

Remediation prioritization: Critical CVSS + internet-facing + known exploit = highest priority. Low CVSS + isolated internal system + no exploit available = can wait.

Vulnerability scan vs penetration test

Attribute	Vulnerability Scan	Penetration Test
Method	Automated tool	Human tester with tools
Exploits vulnerabilities?	No -- identifies only	Yes -- actively exploits
Output	List of potential vulnerabilities with CVSS scores	Proof of access, demonstrated business impact
Frequency	Frequent (weekly or monthly)	Periodic (quarterly or annual)
Skill required	Low (tool-driven)	High (attacker mindset required)

Key exam facts — Security+ / CISSP

Vulnerability scan: automated, non-exploiting, identifies potential weaknesses.

Penetration test: human tester, actively exploits, demonstrates real-world impact.

CVSS scale: 0-10. Critical = 9.0-10.0. High = 7.0-8.9. Medium = 4.0-6.9. Low = 0.1-3.9.

CVE: unique vulnerability identifier. NVD: database hosting CVE details and CVSS scores.

Credentialed scan: more findings, internal view. Non-credentialed: external attacker view.

Prioritize by CVSS score + asset criticality + exploitability + existing controls.

Common exam traps

A vulnerability scan proves a vulnerability is exploitable.

A vulnerability scan identifies potential weaknesses based on version information, configuration, and open ports. It does not attempt exploitation and cannot confirm exploitability. A penetration test confirms exploitability by actually attempting it.

A Critical CVSS score means the vulnerability must be patched immediately over all others.

CVSS is one input into prioritization. A Critical vulnerability on an isolated, non-critical system may be less urgent than a Medium vulnerability on an internet-facing system processing financial transactions. Asset criticality, exploitability, and business impact all factor into actual remediation priority.

Penetration testing replaces vulnerability scanning.

They serve different purposes and are used together. Vulnerability scanning is frequent, automated, and broad coverage. Penetration testing is periodic, human-driven, and depth over breadth. A mature security program uses both: scanning for continuous coverage, pen testing for validated real-world risk assessment.