Vulnerability Management

A vulnerability manager is prioritizing remediation. Which factors should influence risk-based priority? (Choose three.)

Which conditions should push a vulnerability higher in the remediation queue? (Choose three.)

A scanner reports a critical issue on a network device. Which steps help validate the finding before closure? (Choose two.)

Which items belong in a vulnerability exception request? (Choose three.)

A web application DAST scan reports stored XSS. Which evidence helps confirm exploitability? (Choose two.)

Which pipeline controls help prevent vulnerable dependencies reaching production? (Choose two.)

A vulnerability appears critical but the vulnerable feature is disabled. What should the analyst document before downgrading? (Choose two.)

A vulnerability manager wants accurate Linux package findings. Which scan conditions are important? (Choose two.)

An emergency patch may break a revenue-critical system. Which actions balance risk and availability? (Choose two.)

Which findings should be included when reporting remediation performance to asset owners? (Choose two.)

A vulnerability scan of a segmented OT network must avoid disrupting fragile devices. Which controls are appropriate? (Choose two.)

Which sources improve asset criticality context for vulnerability prioritization? (Choose two.)

A cloud security posture tool reports public access on object storage. Which follow-up checks matter? (Choose two.)

Which measures help reduce recurring vulnerabilities from unsupported software? (Choose two.)

An application has a high CVSS vulnerability, but a WAF rule blocks known exploit payloads. What should the team still do? (Choose two.)

A vulnerability scan identifies a critical unauthenticated remote-code-execution flaw on an internet-facing VPN appliance that is actively exploited in the wild. Several internal-only medium vulnerabilities are also present. What should be remediated first? For validation, Which action should be taken before closing or downgrading the finding?

A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For control selection, Which control best addresses the stated weakness without hiding risk?

A scanner flags TLS 1.0 on a server, but the service owner says TLS 1.0 is disabled. What is the BEST validation method? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For business prioritization, Which recommendation gives the best risk-based order of work?

A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For validation, Which action should be taken before closing or downgrading the finding?

Two servers have the same critical vulnerability. One hosts a public payment API; the other is a lab server isolated from production. What changes the remediation priority? For control selection, Which control best addresses the stated weakness without hiding risk?

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For business prioritization, Which recommendation gives the best risk-based order of work?

A CVSS 9.8 vulnerability affects an internal service reachable only from a restricted admin subnet. Which additional analysis is most useful? For validation, Which action should be taken before closing or downgrading the finding?

A team requests a patch exception for a legacy application. What should be required? (Choose two.)

A supplier provides a software product used in a regulated environment. The security team wants visibility into included libraries and versions. What should they request? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A credentialed Linux scan fails on several hosts after SSH hardening. What is the BEST next step? For business prioritization, Which recommendation gives the best risk-based order of work?

A vulnerability scan identifies a critical unauthenticated remote-code-execution flaw on an internet-facing VPN appliance that is actively exploited in the wild. Several internal-only medium vulnerabilities are also present. What should be remediated first? For control selection, Which control best addresses the stated weakness without hiding risk?

A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A scanner flags TLS 1.0 on a server, but the service owner says TLS 1.0 is disabled. What is the BEST validation method? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For business prioritization, Which recommendation gives the best risk-based order of work?

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For validation, Which action should be taken before closing or downgrading the finding?

A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For control selection, Which control best addresses the stated weakness without hiding risk?

Two servers have the same critical vulnerability. One hosts a public payment API; the other is a lab server isolated from production. What changes the remediation priority? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For business prioritization, Which recommendation gives the best risk-based order of work?

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For validation, Which action should be taken before closing or downgrading the finding?

A CVSS 9.8 vulnerability affects an internal service reachable only from a restricted admin subnet. Which additional analysis is most useful? For control selection, Which control best addresses the stated weakness without hiding risk?

A team says a critical vulnerability was patched. What should the vulnerability manager require before closure? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A supplier provides a software product used in a regulated environment. The security team wants visibility into included libraries and versions. What should they request? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For business prioritization, Which recommendation gives the best risk-based order of work?

A credentialed Linux scan fails on several hosts after SSH hardening. What is the BEST next step? For validation, Which action should be taken before closing or downgrading the finding?

A vulnerability scan identifies a critical unauthenticated remote-code-execution flaw on an internet-facing VPN appliance that is actively exploited in the wild. Several internal-only medium vulnerabilities are also present. What should be remediated first? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A scanner flags TLS 1.0 on a server, but the service owner says TLS 1.0 is disabled. What is the BEST validation method? For business prioritization, Which recommendation gives the best risk-based order of work?

A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For validation, Which action should be taken before closing or downgrading the finding?

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For control selection, Which control best addresses the stated weakness without hiding risk?

A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

Two servers have the same critical vulnerability. One hosts a public payment API; the other is a lab server isolated from production. What changes the remediation priority? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For business prioritization, Which recommendation gives the best risk-based order of work?

A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For validation, Which action should be taken before closing or downgrading the finding?

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For control selection, Which control best addresses the stated weakness without hiding risk?

A CVSS 9.8 vulnerability affects an internal service reachable only from a restricted admin subnet. Which additional analysis is most useful? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A team says a critical vulnerability was patched. What should the vulnerability manager require before closure? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A supplier provides a software product used in a regulated environment. The security team wants visibility into included libraries and versions. What should they request? For business prioritization, Which recommendation gives the best risk-based order of work?

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For validation, Which action should be taken before closing or downgrading the finding?

A credentialed Linux scan fails on several hosts after SSH hardening. What is the BEST next step? For control selection, Which control best addresses the stated weakness without hiding risk?

A vulnerability scan identifies a critical unauthenticated remote-code-execution flaw on an internet-facing VPN appliance that is actively exploited in the wild. Several internal-only medium vulnerabilities are also present. What should be remediated first? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For business prioritization, Which recommendation gives the best risk-based order of work?

A scanner flags TLS 1.0 on a server, but the service owner says TLS 1.0 is disabled. What is the BEST validation method? For validation, Which action should be taken before closing or downgrading the finding?

A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For control selection, Which control best addresses the stated weakness without hiding risk?

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For tool configuration, Which scanner or pipeline change most directly improves result quality?

Two servers have the same critical vulnerability. One hosts a public payment API; the other is a lab server isolated from production. What changes the remediation priority? For business prioritization, Which recommendation gives the best risk-based order of work?

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For validation, Which action should be taken before closing or downgrading the finding?

A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For control selection, Which control best addresses the stated weakness without hiding risk?

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A CVSS 9.8 vulnerability affects an internal service reachable only from a restricted admin subnet. Which additional analysis is most useful? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A team says a critical vulnerability was patched. What should the vulnerability manager require before closure? For business prioritization, Which recommendation gives the best risk-based order of work?

A supplier provides a software product used in a regulated environment. The security team wants visibility into included libraries and versions. What should they request? For validation, Which action should be taken before closing or downgrading the finding?

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For control selection, Which control best addresses the stated weakness without hiding risk?

A credentialed Linux scan fails on several hosts after SSH hardening. What is the BEST next step? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A vulnerability scan identifies a critical unauthenticated remote-code-execution flaw on an internet-facing VPN appliance that is actively exploited in the wild. Several internal-only medium vulnerabilities are also present. What should be remediated first? For business prioritization, Which recommendation gives the best risk-based order of work?

A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For validation, Which action should be taken before closing or downgrading the finding?

A scanner flags TLS 1.0 on a server, but the service owner says TLS 1.0 is disabled. What is the BEST validation method? For control selection, Which control best addresses the stated weakness without hiding risk?

A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For business prioritization, Which recommendation gives the best risk-based order of work?

Two servers have the same critical vulnerability. One hosts a public payment API; the other is a lab server isolated from production. What changes the remediation priority? For validation, Which action should be taken before closing or downgrading the finding?

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For control selection, Which control best addresses the stated weakness without hiding risk?

A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A CVSS 9.8 vulnerability affects an internal service reachable only from a restricted admin subnet. Which additional analysis is most useful? For business prioritization, Which recommendation gives the best risk-based order of work?

A team says a critical vulnerability was patched. What should the vulnerability manager require before closure? For validation, Which action should be taken before closing or downgrading the finding?

A supplier provides a software product used in a regulated environment. The security team wants visibility into included libraries and versions. What should they request? For control selection, Which control best addresses the stated weakness without hiding risk?

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A credentialed Linux scan fails on several hosts after SSH hardening. What is the BEST next step? For tool configuration, Which scanner or pipeline change most directly improves result quality?