This chapter covers how penetration testers determine and communicate the severity of identified vulnerabilities, a critical part of the reporting phase. For the PT0-002 exam, this topic falls under Domain 4 (Reporting and Communication), Objective 4.1: 'Given a scenario, produce a report containing findings and remediation recommendations.' Understanding severity classification is essential because exam questions often test your ability to interpret CVSS scores, risk matrices, and business impact. Approximately 10–15% of exam questions touch on severity classification or related reporting concepts.
Jump to a section
In a hospital emergency room, triage nurses quickly assess each patient and assign a severity level (e.g., Red for immediate life threat, Yellow for serious but stable, Green for minor). This classification drives the order of treatment and resource allocation. Similarly, penetration testers classify vulnerabilities by severity to prioritize remediation. The triage nurse uses a standardized protocol (e.g., vital signs, mechanism of injury) — just as testers use CVSS scoring or risk matrices. A patient with chest pain and low oxygen (Red) gets immediate attention, while a patient with a sprained ankle (Green) waits. If the triage nurse misclassifies a Red as Yellow, that patient might deteriorate before being seen. Likewise, misclassifying a critical vulnerability as medium could lead to a breach. The analogy is mechanistic: both systems rely on defined criteria, produce a prioritized list, and have high stakes for accuracy. In both, the classification is not the final diagnosis — it's a tool to ensure the most critical issues are addressed first, with resources allocated proportionally to severity.
What Is Severity Classification and Why Does It Exist?
Severity classification is the process of assigning a qualitative or quantitative rating to a security vulnerability based on its potential impact and exploitability. The primary purpose is to help stakeholders prioritize remediation efforts. Without a standardized classification, every finding would appear equally urgent, leading to misallocated resources. The PT0-002 exam expects you to understand common frameworks like CVSS (Common Vulnerability Scoring System), risk matrices, and how business context affects severity.
The Common Vulnerability Scoring System (CVSS)
CVSS is the industry-standard method for rating vulnerability severity. The current version is CVSS v3.1, documented in RFC 7435. The score ranges from 0.0 to 10.0, with qualitative ratings: None (0.0), Low (0.1–3.9), Medium (4.0–6.9), High (7.0–8.9), and Critical (9.0–10.0). CVSS is composed of three metric groups:
- Base Metrics: Represent the intrinsic characteristics of a vulnerability that are constant over time and across user environments. These include: - Attack Vector (AV): How the vulnerability can be exploited (Network, Adjacent, Local, Physical). - Attack Complexity (AC): Conditions beyond the attacker's control (Low, High). - Privileges Required (PR): Level of privileges needed (None, Low, High). - User Interaction (UI): Whether another user must participate (None, Required). - Scope (S): Whether the vulnerability affects resources beyond the vulnerable component (Unchanged, Changed). - Confidentiality (C), Integrity (I), Availability (A): Impact on each security objective (None, Low, High).
Temporal Metrics: Adjust the score based on factors that change over time, such as exploit code maturity, remediation level, and report confidence. These are optional on the exam but may appear in scenario-based questions.
Environmental Metrics: Customize the score for a specific organization by modifying the base metrics based on asset criticality and security requirements. The exam expects you to know that environmental metrics allow tailoring of severity.
How CVSS Scoring Works Internally
The CVSS v3.1 calculator uses a formula to derive the Base Score. First, the Impact Sub-Score (ISS) is calculated:
ISS = 1 - [(1 - C) * (1 - I) * (1 - A)]where C, I, A are the impact values (0 for None, 0.22 for Low, 0.56 for High). Then the Impact Score (IS) is:
If Scope is Unchanged: IS = 6.42 * ISS
If Scope is Changed: IS = 7.52 * (ISS - 0.029) - 3.25 * (ISS - 0.02)^15
Next, the Exploitability Score (ES) is:
ES = 8.22 * AV * AC * PR * UIwhere each metric has a numeric value (e.g., AV:N = 0.85, AV:L = 0.55). Finally, the Base Score is:
If IS <= 0: Base = 0
Otherwise:
- If Scope is Unchanged: Base = min(10, 0.91 * IS + 0.54 * ES)
- If Scope is Changed: Base = min(10, 1.08 * IS + 0.55 * ES)
The result is rounded to one decimal place. The exam does not require memorizing the formula, but you should understand how metric changes affect the score (e.g., increasing Attack Complexity from Low to High reduces the score).
Risk Matrices and Qualitative Severity
While CVSS provides a quantitative score, many organizations use qualitative risk matrices that combine likelihood and impact. The matrix typically has 5x5 or 3x3 cells, with labels like Low, Medium, High, Critical. For example:
Likelihood: Rare, Unlikely, Possible, Likely, Almost Certain
Impact: Insignificant, Minor, Moderate, Major, Catastrophic
The intersection gives the risk level. The exam may present a scenario where you must determine the appropriate severity based on given likelihood and impact. Remember that severity classification should consider business context: a vulnerability that exposes sensitive customer data (High impact) with low exploit complexity (High likelihood) would be Critical.
Business Context and Stakeholder Communication
Severity classification is not just technical; it must be communicated in terms stakeholders understand. The PT0-002 exam emphasizes that findings should be prioritized based on risk to the organization, not just CVSS score. For example, a Medium CVSS vulnerability affecting a critical asset (e.g., domain controller) may be escalated to High in the report. Conversely, a High CVSS vulnerability in an isolated test environment might be downgraded. The report should include:
Risk Rating: Overall severity (Critical, High, Medium, Low, Informational)
CVSS Score: If calculated
Business Impact: Description of potential damage
Likelihood: Probability of exploitation
Common Pitfalls in Severity Classification
Over-reliance on CVSS: CVSS does not account for business context. A vulnerability with CVSS 9.0 may be less critical than a CVSS 6.0 vulnerability that exposes customer PII.
Ignoring Temporal Metrics: Exploit code availability can increase severity. The exam may ask you to adjust severity based on whether a public exploit exists.
Misapplying Scope: Scope Changed indicates the vulnerability can affect components beyond the vulnerable one, increasing the score. Candidates often misinterpret Scope as the same as impact.
Integration with Remediation Recommendations
Severity classification directly drives remediation priorities. Critical findings should have immediate remediation (e.g., within 24 hours), while Low findings may be scheduled. The report should include specific remediation steps per finding, with a timeline based on severity. The exam will test your ability to match remediation urgency to severity.
Tools and Automation
Penetration testers use tools like Nessus, Qualys, or OpenVAS that automatically calculate CVSS scores. However, the tester must validate and adjust scores based on manual analysis. The exam may present a scan result and ask you to reclassify severity after considering additional context.
Summary of Key Values
CVSS v3.1 qualitative ratings: None (0.0), Low (0.1–3.9), Medium (4.0–6.9), High (7.0–8.9), Critical (9.0–10.0)
Temporal metrics: Exploit Code Maturity (U, P, F, H), Remediation Level (O, T, W, U), Report Confidence (U, R, C)
Environmental metrics: Modified Base Metrics, Confidentiality Requirement, Integrity Requirement, Availability Requirement
Risk matrix dimensions: Likelihood (5 levels) and Impact (5 levels) producing 25 combinations
The exam expects you to know these values and how to apply them in scenario questions.
Identify and Document Findings
List all vulnerabilities discovered during testing. For each finding, capture the name, affected asset, CVE identifier (if applicable), and a brief description. This step ensures no finding is overlooked. The tester should also note any evidence (e.g., screenshots, command output) that supports the finding. At this stage, do not assign severity yet; just document the raw findings.
Calculate CVSS Base Score
For each finding, determine the CVSS v3.1 Base Metrics. Use the CVSS calculator or manual assignment. Record the Base Score and vector string (e.g., CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). This provides a standardized starting point. Remember that the Base Score is environment-independent and reflects the intrinsic severity of the vulnerability.
Adjust for Temporal Metrics
If exploit code is publicly available, increase the score by modifying the Exploit Code Maturity metric. If a patch is available, adjust the Remediation Level metric. This step is optional but important for accurate prioritization. For example, a vulnerability with a public exploit (E:H) should have a higher temporal score than one with no exploit (E:U). The exam may ask you to recalculate severity based on temporal factors.
Apply Environmental Context
Customize the score using Environmental Metrics. Consider the criticality of the affected asset (e.g., Confidentiality Requirement: High for a database containing PII). Modify the Base Metrics as needed. For example, if the asset has high availability requirements, set Availability Requirement to High. This step tailors the severity to the organization's environment.
Assign Final Severity and Prioritize
Combine the CVSS score with qualitative risk assessment (likelihood and impact) to assign a final severity rating (Critical, High, Medium, Low, Informational). Document the rationale. Then prioritize remediation: Critical findings first, then High, etc. The report should include a severity matrix or table showing each finding's rating and recommended remediation timeline.
Enterprise Scenario 1: Financial Institution PCI DSS Compliance
A bank undergoes an external penetration test as part of PCI DSS compliance. The tester discovers a SQL injection vulnerability in the online banking application. The CVSS Base Score is 9.0 (Critical) because AV:N, AC:L, PR:N, UI:N, S:U, C:H, I:H, A:H. However, the bank uses a Web Application Firewall (WAF) that partially mitigates the issue. The tester adjusts the Environmental Metrics: the Confidentiality Requirement is High (customer financial data), Integrity Requirement is High, Availability Requirement is Medium. The final environmental score remains Critical. The remediation timeline is 24 hours because it's a critical finding affecting a sensitive asset. The report includes a clear risk statement: 'An attacker could extract customer account numbers and balances, leading to fraud and regulatory fines.' This scenario tests the candidate's ability to consider environmental factors and business impact.
Enterprise Scenario 2: Healthcare Provider with Legacy Systems
A hospital engages a penetration tester to assess its network. The tester finds that an outdated medical device runs Windows XP with no patches. The CVSS Base Score for the OS vulnerabilities is 8.0 (High). However, the device is isolated on a separate VLAN with strict firewall rules, reducing the Attack Vector to Adjacent Network (AV:A). The tester adjusts the Base Score accordingly, resulting in a Medium score. Additionally, the device is non-critical for patient care, so the impact is Low. The final severity is Medium. The remediation recommendation is to upgrade the device or apply virtual patching. This scenario teaches that severity must account for compensating controls and asset criticality.
Scenario 3: E-commerce Company with Third-Party Components
An online retailer uses a popular CMS with a known plugin vulnerability (CVE-2024-XXXX). The CVSS score is 7.5 (High). However, the company has already implemented a virtual patch via its WAF. The tester should note the compensating control and reduce the likelihood, thus lowering the overall risk rating to Medium. The report should emphasize that while the vulnerability is technically High, the current mitigation reduces immediate risk. The exam may ask you to adjust severity based on existing controls.
Common Misconfigurations
Ignoring Temporal Metrics: Failing to check for public exploits leads to underestimation.
Overlooking Environmental Metrics: Not adjusting for asset criticality results in skewed priorities.
Misusing Scope: Confusing Scope with impact (e.g., thinking Scope Changed always means higher impact).
Performance Considerations
In large-scale assessments (e.g., 10,000+ findings), automated tools help calculate initial scores, but manual review is essential. Testers should group similar findings and assign severity to the group. The report should include a summary of severity distribution to give stakeholders a quick overview.
What PT0-002 Tests on Severity Classification
Objective 4.1 requires you to 'produce a report containing findings and remediation recommendations.' The exam tests your ability to:
Interpret CVSS v3.1 scores and vector strings.
Adjust severity based on temporal and environmental metrics.
Use qualitative risk matrices.
Prioritize findings based on business impact.
Communicate severity to technical and non-technical stakeholders.
Common Wrong Answers and Why Candidates Choose Them
Choosing the CVSS Base Score as the final severity without adjustment: Candidates often forget that the exam expects you to consider business context. In a scenario where a vulnerability affects a critical asset, the correct answer is to escalate the severity.
Confusing CVSS v3.0 with v3.1: The differences are minor, but the exam uses v3.1. Some questions may test the qualitative rating thresholds (e.g., 9.0 is Critical, not High).
Misinterpreting Scope: When Scope is Changed, the vulnerability can impact resources beyond the vulnerable component. Candidates may think it means the vulnerability itself is changed, leading to incorrect scoring.
Overlooking Temporal Metrics: A question may state 'exploit code is publicly available' and ask for the adjusted severity. Many candidates ignore this and stick with the Base Score.
Specific Numbers and Terms That Appear Verbatim
Qualitative ratings: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), Critical (9.0-10.0)
CVSS vector example: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal metrics: E (Exploit Code Maturity), RL (Remediation Level), RC (Report Confidence)
Environmental metrics: CR (Confidentiality Requirement), IR (Integrity Requirement), AR (Availability Requirement)
Edge Cases and Exceptions
CVSS Score of 0.0: Means no impact. The exam may present a finding with no risk (e.g., information disclosure with no data loss).
Score of 10.0: Only possible with Scope Changed and maximum impact. Not all Critical findings are 10.0.
Informational findings: These have no CVSS score but should be included in the report for awareness.
How to Eliminate Wrong Answers
Use the formula: Severity = (Likelihood + Impact) / 2 or use the risk matrix. If a question gives likelihood and impact, map them to the matrix.
If the question mentions a compensating control, reduce severity.
If the question mentions asset criticality, adjust severity upward for critical assets.
When in doubt, the more conservative (higher severity) answer is often correct for critical assets.
Exam Tips
Memorize the qualitative rating thresholds (0, 0.1-3.9, etc.).
Know that CVSS v3.1 is the current version.
Practice reading CVSS vectors: the order is AV, AC, PR, UI, S, C, I, A.
Understand that environmental metrics modify the base score, not replace it.
CVSS v3.1 qualitative ratings: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), Critical (9.0-10.0).
Base Score is environment-independent; temporal and environmental metrics adjust it.
Temporal metrics include Exploit Code Maturity (E), Remediation Level (RL), Report Confidence (RC).
Environmental metrics include Confidentiality, Integrity, Availability Requirements (CR, IR, AR).
Scope Changed increases the score and means the vulnerability can affect resources beyond the vulnerable component.
Final severity must consider business impact and asset criticality, not just CVSS score.
Risk matrices combine likelihood and impact to produce a qualitative rating.
Remediation timelines should be proportional to severity: Critical (24h), High (7d), Medium (30d), Low (90d) – but vary by policy.
These come up on the exam all the time. Here's how to tell them apart.
CVSS v3.1
Quantitative score from 0.0 to 10.0
Standardized across industries
Includes temporal and environmental metrics
Requires calculator or formula
Less flexible for business context
Qualitative Risk Matrix
Qualitative rating (e.g., Low, Medium, High, Critical)
Customizable to organization's risk appetite
Based on likelihood and impact dimensions
Simple to understand for stakeholders
Easily incorporates business context
Mistake
CVSS score alone determines severity.
Correct
CVSS is a starting point; final severity must consider business context, asset criticality, and compensating controls.
Mistake
A CVSS score of 10.0 is always Critical.
Correct
While 10.0 is Critical, the qualitative rating is the same for any score 9.0-10.0. The number itself is not the rating; the range matters.
Mistake
Temporal metrics are mandatory.
Correct
Temporal metrics are optional. The Base Score is the default; temporal and environmental adjustments are applied only when relevant.
Mistake
Scope Changed means the vulnerability affects multiple systems.
Correct
Scope Changed means the vulnerable component impacts resources beyond its authorization scope, not just multiple systems.
Mistake
All High severity findings must be remediated within 30 days.
Correct
Remediation timelines depend on organizational policy. The exam may present a scenario where Critical is 24 hours, High is 7 days, etc.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
CVSS v3.1 is the current version. The main difference from v3.0 is clarification of metric definitions and the addition of 'Attack Requirements' (AT) as a new metric. However, v3.1 is backward-compatible. The PT0-002 exam uses v3.1. The qualitative ratings and scoring formula are essentially the same.
Use Environmental Metrics: set the Confidentiality Requirement (CR), Integrity Requirement (IR), and Availability Requirement (AR) to High for critical assets. This increases the overall score. Alternatively, in a qualitative matrix, assign higher impact. The exam expects you to escalate severity for critical assets.
The order is: AV (Attack Vector), AC (Attack Complexity), PR (Privileges Required), UI (User Interaction), S (Scope), C (Confidentiality), I (Integrity), A (Availability). For example: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Use temporal metrics when there is additional information about the vulnerability over time, such as exploit code availability (E), remediation level (RL), or report confidence (RC). For example, if a public exploit exists, set E to High to increase the score.
Likelihood is the probability that a vulnerability will be exploited, considering factors like attack vector and complexity. Impact is the potential damage to confidentiality, integrity, or availability. Both are used in risk matrices to determine severity. For example, high likelihood + high impact = Critical.
Use business language: describe what could happen (e.g., 'customer data breach,' 'financial loss') and the recommended action. Avoid technical jargon. A risk matrix with colors (red=Critical, yellow=Medium, green=Low) is effective. The report should include an executive summary with prioritized findings.
Yes, if there is no impact on confidentiality, integrity, or availability. For example, an information disclosure that reveals only non-sensitive data. Such findings are often classified as Informational and may not require remediation.
You've just covered Finding Severity Classification — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?