This chapter covers the vulnerability management workflow, a core process for identifying, classifying, prioritizing, and remediating vulnerabilities in an organization. For the CS0-003 exam, understanding this workflow is critical as it appears in roughly 10-15% of questions across the Vulnerability Management domain (Objective 2.2). You will learn the structured steps—from asset discovery to remediation and verification—and how to apply them in real-world scenarios. Mastering this workflow ensures you can answer scenario-based questions about prioritization, false positives, and remediation strategies.
Jump to a section
A vulnerability management workflow is like a hospital's process for handling patient health issues. The hospital first identifies patients through routine check-ups or emergency visits (discovery and asset inventory). Then, for each patient, doctors run tests (vulnerability scanning) to find potential health problems (vulnerabilities). Each finding is documented in a patient record with severity (e.g., critical, high, medium, low) based on how dangerous the condition is (CVSS scoring). Next, a triage nurse reviews all findings and prioritizes: a heart attack (critical vulnerability) is treated immediately, while a mild allergy (low severity) may be scheduled for later (prioritization). The doctor then prescribes treatment (remediation) such as surgery (patching), medication (configuration change), or lifestyle advice (compensating control). After treatment, follow-up tests (rescanning) confirm the issue is resolved. The hospital also tracks recurring issues (common vulnerabilities) and updates its standard procedures (security policies). Just as a hospital cannot treat every symptom instantly, an organization must prioritize vulnerabilities based on risk, exploitability, and business impact. The workflow ensures that resources are allocated efficiently to protect the most critical assets first.
What is the Vulnerability Management Workflow?
The vulnerability management workflow is a systematic, continuous process that organizations use to identify, classify, prioritize, and remediate security weaknesses in their IT infrastructure. It is not a one-time activity but a cyclical process that integrates with change management, incident response, and compliance. The goal is to reduce the attack surface by addressing vulnerabilities before they can be exploited.
Why It Exists
Organizations face thousands of potential vulnerabilities across networks, endpoints, cloud services, and applications. Without a structured workflow, teams would be overwhelmed, leading to missed critical patches or wasted effort on low-risk issues. The workflow provides a repeatable method to:
Ensure consistent coverage across all assets
Allocate resources effectively based on risk
Meet regulatory requirements (e.g., PCI DSS, HIPAA, NIST)
Track remediation progress and demonstrate due diligence
The Workflow Steps
The CompTIA CySA+ CS0-003 exam defines the vulnerability management workflow in six key stages:
Discovery and Asset Inventory – Identify all assets (hardware, software, cloud instances) and their configurations. This includes network scans, agent-based discovery, and integration with CMDB (Configuration Management Database). Without complete asset inventory, blind spots exist.
Vulnerability Scanning – Use automated tools (e.g., Nessus, Qualys, OpenVAS) to scan assets for known vulnerabilities. Scans can be authenticated (using credentials for deeper checks) or unauthenticated (external perspective). Frequency varies: critical systems may be scanned weekly, while low-risk systems monthly.
Analysis and Classification – Each vulnerability is analyzed for its characteristics: CVE ID, CVSS score, affected software version, and potential impact. False positives are identified and filtered out. Vulnerabilities are classified by type (e.g., missing patches, misconfigurations, weak encryption).
Prioritization – Not all vulnerabilities are equal. Prioritization considers:
- CVSS base score (0-10) – Severity rating - Threat intelligence – Is there active exploitation? (e.g., CISA KEV catalog) - Asset criticality – Is the asset a domain controller, database server, or public-facing web app? - Compensating controls – Is there a firewall or WAF mitigating the risk? - Business impact – Would exploitation cause downtime, data breach, or compliance violation?
The exam emphasizes that CVSS alone is insufficient; context is key. For example, a CVSS 9.0 vulnerability on an isolated internal printer may be lower priority than a CVSS 7.0 vulnerability on an internet-facing web server with active exploits.
5. Remediation – Actions to fix vulnerabilities: - Patch: Apply vendor-supplied update - Configuration change: Harden settings (e.g., disable unnecessary services) - Compensating control: Implement firewall rule, IDS/IPS, or WAF - Acceptance: Document and accept the risk (formal risk acceptance) - Elimination: Remove the vulnerable component (e.g., uninstall software)
Remediation is often tracked through tickets in a service management system (e.g., ServiceNow). SLAs are defined: critical vulnerabilities patched within 48 hours, high within 7 days, etc.
Verification and Reporting – After remediation, rescan to confirm the vulnerability is resolved. Generate reports for stakeholders (management, auditors) showing metrics like mean time to remediate (MTTR), patch compliance percentage, and vulnerability trends.
Key Components and Defaults
CVSS v3.1: The standard for vulnerability severity. Base Score ranges: 0.0-3.9 (Low), 4.0-6.9 (Medium), 7.0-8.9 (High), 9.0-10.0 (Critical). The exam may ask for these ranges.
CVE: Common Vulnerabilities and Exposures – unique identifier for each vulnerability (e.g., CVE-2023-44487).
CISA KEV: Known Exploited Vulnerabilities catalog – vulnerabilities with active exploitation. These must be prioritized.
Asset Criticality: Often classified as Critical, High, Medium, Low based on data sensitivity and business function.
Scan Frequency: NIST recommends monthly scanning for all systems, weekly for critical systems. PCI DSS requires quarterly external and internal scans.
False Positives: Common in vulnerability scans, especially for web applications (e.g., missing headers that are actually present). Analysts must verify and suppress false positives.
Configuration and Verification Commands
While the exam does not require specific tool commands, understanding the process is key. Example using Nessus (command line):
# Start a scan policy
nessuscli scan new --policy "Basic Network Scan" --target 192.168.1.0/24
# Export results
nessuscli scan export <scan_id> --format csvFor verification after patching:
# Use nmap to check if a port is still open
nmap -p 445 --script smb-vuln-ms17-010 <target_ip>
# Use OpenVAS to rescan a specific host
greenbone-nvt-sync
gvm-cli --gmp-username admin --gmp-password pass socket --xml "<create_task>..."Interaction with Related Technologies
SIEM: Vulnerability scan results are fed into SIEM (e.g., Splunk, ArcSight) for correlation with logs and threat intelligence.
Patch Management: Vulnerability management triggers patching via tools like SCCM, WSUS, or Ansible.
Configuration Management: CMDB ensures accurate asset inventory; vulnerabilities are mapped to specific configuration items.
Threat Intelligence: Feeds from CISA, vendor bulletins, or commercial sources (Recorded Future) to adjust prioritization.
GRC (Governance, Risk, and Compliance): Reports from vulnerability management are used for compliance audits (e.g., PCI DSS Requirement 11).
Continuous Improvement
The workflow is not static. Metrics like scan coverage, false positive rate, and mean time to remediate are tracked to improve the process. Regular reviews of the prioritization criteria and scanning configurations ensure the program remains effective against evolving threats.
Asset Discovery and Inventory
The first step involves identifying all assets within the organization's network, including servers, workstations, network devices, cloud instances, and IoT devices. This is typically done through network scanning (e.g., using Nmap or automated discovery tools), agent-based inventory, or integration with CMDB. The goal is to create a complete and up-to-date asset list because any asset not inventoried is invisible to vulnerability scanning. The exam emphasizes that missing assets lead to blind spots. For example, an unmanaged shadow IT device could be a critical vulnerability. The inventory should include IP addresses, hostnames, operating systems, installed software, and assigned criticality tiers.
Vulnerability Scanning
Once assets are known, vulnerability scanners (e.g., Nessus, Qualys, OpenVAS) are used to probe them for known vulnerabilities. Scans can be authenticated (using credentials to log in and check for missing patches and misconfigurations) or unauthenticated (external perspective, less accurate). The scan schedule varies: critical systems may be scanned daily or weekly, while others monthly. The exam highlights that authenticated scans provide deeper visibility—e.g., they can detect missing patches that unauthenticated scans cannot. Scans generate a list of findings, each with a CVE ID, CVSS score, and description. False positives are common and must be filtered in the next step.
Analysis and Classification
In this step, each vulnerability finding is analyzed to determine its validity and characteristics. Analysts review the output to remove false positives (e.g., a scanner reporting a missing patch that is actually applied) and duplicates. Each valid vulnerability is classified by type: missing patch, misconfiguration, weak encryption, default credentials, etc. The CVSS score is noted, but additional context is gathered: Is the vulnerability exploitable remotely? Does it require authentication? Is there a known exploit? This analysis feeds into the prioritization step. The exam emphasizes that false positives waste time, so analysts must verify findings, often by cross-referencing with vendor advisories or manual checks.
Prioritization
Not all vulnerabilities can be fixed immediately; prioritization determines the order of remediation. The exam stresses that prioritization must consider multiple factors beyond CVSS: asset criticality (e.g., domain controller vs. test server), threat intelligence (e.g., active exploitation in the wild), compensating controls (e.g., a firewall blocking the vulnerable port), and business impact. A common prioritization model is to combine CVSS with asset criticality and exploitability. For example, a critical vulnerability (CVSS 9.0) on an internet-facing web server with active exploits would be top priority, while a medium vulnerability (CVSS 5.0) on an internal system with no known exploits might be scheduled later. The output is a prioritized list of remediation actions with SLAs.
Remediation
Remediation involves taking action to fix the vulnerability. Options include applying a patch, changing a configuration (e.g., disabling a service), implementing a compensating control (e.g., adding a firewall rule), or formally accepting the risk. The remediation is typically assigned to the asset owner or system administrator via a ticket. SLAs are enforced: critical vulnerabilities must be remediated within 48 hours, high within 7 days, medium within 30 days, low within 90 days (common industry SLAs). The exam may ask about remediation strategies: patching is preferred, but if a patch is not available, compensating controls can be used temporarily. All remediation actions should be documented for audit purposes.
Verification and Reporting
After remediation, the vulnerability must be rescanned to confirm it is no longer present. Verification ensures the fix was applied correctly and did not introduce new issues. If the vulnerability persists, the remediation is considered incomplete and may need further action. Reporting involves generating summaries for different stakeholders: technical teams get detailed lists of remaining vulnerabilities, while management receives high-level metrics like percentage of assets scanned, mean time to remediate (MTTR), and compliance status. Reports are also used for audit evidence (e.g., PCI DSS compliance). The exam highlights that verification is a critical step—without it, you cannot be sure the vulnerability is actually fixed.
Enterprise Scenario 1: Financial Institution PCI DSS Compliance
A large bank must comply with PCI DSS Requirement 11, which mandates quarterly external and internal vulnerability scans and continuous scanning for critical systems. The vulnerability management team uses Qualys to scan over 10,000 assets, including cardholder data environments (CDE). The workflow begins with asset discovery: the team maintains a CMDB that tracks every server, POS terminal, and network device. Scans are authenticated for CDE systems to ensure deep coverage. After scanning, analysts review findings, filtering out false positives (e.g., a scanner reporting a missing patch that is actually applied via a different update). Prioritization is driven by PCI DSS: any vulnerability with a CVSS score of 4.0 or higher in the CDE must be remediated within 30 days. However, the team also uses threat intelligence from CISA KEV to escalate critical vulnerabilities with active exploits. Remediation is tracked via ServiceNow tickets, with SLAs: critical within 48 hours, high within 7 days. After patching, a rescan is automatically triggered. Reports are generated for the compliance officer to present to auditors. A common issue is scan window contention: scans during business hours can impact performance, so they are scheduled during maintenance windows. Misconfiguration of scan credentials can lead to many false positives, wasting analyst time.
Enterprise Scenario 2: Healthcare Organization with Legacy Systems
A hospital network runs a mix of modern and legacy medical devices (e.g., MRI machines running Windows XP). The vulnerability management team uses Tenable Nessus for scanning. The workflow faces unique challenges: legacy devices cannot be patched due to vendor restrictions or FDA approval. The workflow must include a risk acceptance process for such devices. Asset discovery is critical: the team uses passive network monitoring to detect devices that may not be in the CMDB. Scanning is carefully scheduled to avoid disrupting patient care. After analysis, vulnerabilities on legacy devices are often accepted with compensating controls (e.g., network segmentation, strict firewall rules). Prioritization heavily weights asset criticality: a vulnerability on a patient monitoring system is higher priority than on an administrative workstation. The exam may test the concept of compensating controls and risk acceptance in such scenarios. Remediation involves not only patching but also configuration changes (e.g., disabling unnecessary services). Verification rescans must be carefully timed to avoid interfering with device operation. Reports are tailored for clinicians and IT staff, focusing on risk reduction rather than technical details.
Scenario 3: Cloud-First SaaS Provider
A SaaS company runs its infrastructure on AWS and Azure, using containerized microservices. Vulnerability management must cover cloud instances, containers, and serverless functions. The team uses AWS Inspector and Azure Defender for scanning. Asset discovery is dynamic: new instances are auto-discovered via cloud APIs. Scanning is continuous and integrated into CI/CD pipelines. After scanning, findings are classified and prioritized using a combination of CVSS and contextual factors like internet exposure and data sensitivity. Remediation is automated where possible: vulnerable container images are blocked from deployment, and patches are applied via infrastructure-as-code (e.g., Terraform). For critical vulnerabilities, the pipeline is halted until the issue is fixed. Verification is automated: after a fix, a new scan is triggered. The exam may test cloud-specific considerations: shared responsibility model (the customer is responsible for patching OS and application, while the cloud provider patches the hypervisor). Common misconfigurations include open S3 buckets or overly permissive IAM roles, which are detected by cloud scanners. The workflow must integrate with cloud security posture management (CSPM) tools.
What CS0-003 Tests on This Topic
The CS0-003 exam covers the vulnerability management workflow under Objective 2.2: "Given a scenario, analyze vulnerabilities and recommend remediation actions." Expect scenario-based questions that ask you to prioritize vulnerabilities, identify the next step in the workflow, or choose appropriate remediation. The exam focuses on the practical application of the workflow, not theoretical definitions. Key objective codes include 2.2.1 (Vulnerability scanning), 2.2.2 (Asset discovery), 2.2.3 (Prioritization), and 2.2.4 (Remediation and mitigation).
Common Wrong Answers and Why Candidates Choose Them
Choosing CVSS score alone for prioritization: Many candidates pick the highest CVSS score as the top priority. The exam tests that context matters—a CVSS 9.0 on an isolated internal system may be lower priority than a CVSS 7.0 on an internet-facing server with active exploits. Always consider asset criticality, threat intelligence, and compensating controls.
Skipping verification after remediation: A common trap is to assume that once a patch is applied, the vulnerability is gone. The exam requires you to verify by rescanning. Without verification, you cannot confirm the fix was successful or that the patch didn't break something else.
Treating all false positives equally: Some candidates think all false positives should be ignored. The exam tests that false positives must be documented and suppressed with justification, not just ignored. They may reappear if the scanner configuration changes.
Ignoring asset discovery: A question may present a scenario where a vulnerability is found on an unknown asset. Candidates might jump to remediation, but the correct first step is to identify the asset and add it to the inventory.
Specific Numbers and Terms That Appear on the Exam
CVSS v3.1 ranges: Low (0.0-3.9), Medium (4.0-6.9), High (7.0-8.9), Critical (9.0-10.0)
Common SLAs: Critical 48 hours, High 7 days, Medium 30 days, Low 90 days
Scan frequency: PCI DSS requires quarterly external and internal scans; NIST recommends monthly for all systems, weekly for critical.
CISA KEV catalog: Known Exploited Vulnerabilities – must be prioritized.
Remediation options: Patch, configuration change, compensating control, acceptance, elimination.
Edge Cases and Exceptions
Zero-day vulnerabilities: No patch available. The exam may ask for compensating controls (e.g., WAF rules, network segmentation) as the best response.
False positive in web app scanning: A scanner reports a missing security header, but the header is added by a load balancer. The correct action is to verify and, if confirmed false, suppress the finding with a note.
Legacy systems: Cannot be patched. The exam tests risk acceptance with formal documentation and compensating controls.
Cloud shared responsibility: The customer is responsible for patching the OS and application; the cloud provider patches the hypervisor. The exam may ask who is responsible for a specific vulnerability.
How to Eliminate Wrong Answers
Read the scenario carefully: Identify the asset type, criticality, and any existing controls.
Look for keywords: "internet-facing," "domain controller," "active exploit," "compensating control."
Eliminate answers that skip steps (e.g., remediating without verification).
Eliminate answers that use CVSS alone without context.
Choose the most comprehensive answer that includes multiple factors.
The vulnerability management workflow consists of six steps: asset discovery, scanning, analysis, prioritization, remediation, and verification.
Prioritization must consider CVSS score, asset criticality, threat intelligence, compensating controls, and business impact—not just CVSS.
Authenticated scans are more thorough than unauthenticated scans; the exam expects you to know the difference.
Verification (rescanning) is a critical step after remediation to confirm the vulnerability is fixed.
Common SLAs: Critical vulnerabilities within 48 hours, High within 7 days, Medium within 30 days, Low within 90 days.
CVSS v3.1 ranges: Low (0.0-3.9), Medium (4.0-6.9), High (7.0-8.9), Critical (9.0-10.0).
False positives must be documented and suppressed, not ignored.
For zero-day vulnerabilities with no patch, use compensating controls (e.g., WAF, segmentation).
Asset discovery is the foundation—if an asset is not inventoried, it cannot be scanned or protected.
The workflow is continuous and should be integrated with patch management, SIEM, and GRC processes.
These come up on the exam all the time. Here's how to tell them apart.
Authenticated Vulnerability Scan
Uses credentials (e.g., SSH, Windows domain account) to log into systems
Can detect missing patches, local vulnerabilities, and misconfigurations
Provides more accurate and complete results
Requires secure credential management and may have higher network overhead
Preferred for internal, trusted networks
Unauthenticated Vulnerability Scan
Does not use credentials; scans from an external perspective
Only detects vulnerabilities visible over the network (e.g., open ports, service banners)
May miss many vulnerabilities (e.g., missing patches that require local access)
Lower overhead and easier to deploy
Used for external penetration testing and internet-facing assets
Mistake
All vulnerabilities should be patched immediately regardless of severity.
Correct
Immediate patching is impractical due to resource constraints and potential for disruption. Prioritization based on risk (CVSS, exploitability, asset criticality) is essential. Critical vulnerabilities with active exploits should be patched within hours to days, while low-severity issues may be scheduled for the next maintenance window.
Mistake
A single vulnerability scan is sufficient to ensure security.
Correct
Vulnerability management is a continuous process. New vulnerabilities are discovered daily, and assets change. Regular scanning (e.g., weekly for critical systems) is required to maintain an accurate risk posture. A single scan provides only a point-in-time snapshot.
Mistake
Unauthenticated scans are just as effective as authenticated scans.
Correct
Authenticated scans use credentials to log into systems, allowing deeper checks for missing patches, misconfigurations, and local vulnerabilities. Unauthenticated scans only see what is visible from the network, missing many vulnerabilities. The exam emphasizes that authenticated scans provide more accurate and complete results.
Mistake
Once a vulnerability is remediated, no further action is needed.
Correct
After remediation, verification (rescanning) is required to confirm the fix was applied correctly. Additionally, the vulnerability may reappear if the system is reimaged or if patches are not maintained. Continuous monitoring is necessary.
Mistake
False positives can be ignored without documentation.
Correct
False positives should be documented and suppressed in the scanner with a reason. Ignoring them without documentation can lead to confusion in future scans or audits. Properly managing false positives improves scan accuracy and efficiency.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Vulnerability management is a broader process that includes identifying, classifying, prioritizing, and remediating vulnerabilities. Patch management is a subset that focuses specifically on applying vendor-supplied patches to fix vulnerabilities. Vulnerability management may also involve configuration changes, compensating controls, or risk acceptance. The exam emphasizes that patching is one of several remediation options.
Frequency depends on regulatory requirements and risk appetite. PCI DSS requires quarterly external and internal scans. NIST SP 800-171 recommends monthly scanning for all systems and weekly for critical systems. In practice, many organizations scan critical systems weekly and non-critical systems monthly. The exam may test that continuous scanning is ideal for high-risk environments.
Threat intelligence provides context about which vulnerabilities are actively being exploited in the wild. This information is used to adjust prioritization—vulnerabilities with known exploits are escalated even if their CVSS score is not the highest. The CISA Known Exploited Vulnerabilities (KEV) catalog is a key source. The exam expects you to integrate threat intelligence into the prioritization step.
If a patch is not available or cannot be applied due to vendor restrictions, the organization should implement compensating controls (e.g., network segmentation, strict firewall rules, intrusion prevention) to reduce the risk. If the risk is still acceptable, a formal risk acceptance should be documented and approved by management. The exam tests that patching is not always possible, and compensating controls are a valid alternative.
A false positive is a finding that incorrectly reports a vulnerability that does not actually exist. For example, a scanner may report a missing patch that is actually applied via a different update. False positives should be verified manually or through additional tools. Once confirmed, they should be documented and suppressed in the scanner with a reason, so they do not reappear in future scans. The exam warns against simply ignoring false positives.
Asset discovery ensures that all devices, servers, cloud instances, and applications are identified and included in vulnerability scans. Without complete asset inventory, blind spots exist—vulnerabilities on unknown assets remain unaddressed. The exam emphasizes that asset discovery is the first step and must be continuous, as new assets are added frequently (e.g., cloud auto-scaling, shadow IT).
Prioritization should be based on a combination of factors: severity (CVSS score), asset criticality (e.g., domain controller vs. test server), threat intelligence (active exploits), compensating controls (existing mitigations), and business impact. A common method is to create a risk score that multiplies CVSS by asset criticality and adds a factor for exploitability. The exam stresses that CVSS alone is insufficient.
You've just covered Vulnerability Management Workflow — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?