CCNA Vulnerability Management Questions

75 of 149 questions · Page 1/2 · Vulnerability Management topic · Answers revealed

1
MCQeasy

A mid-sized e-commerce company uses a multi-cloud environment with AWS and Azure. The vulnerability management team performs monthly authenticated scans using a commercial scanner. During the last scan, a critical remote code execution vulnerability (CVE-2023-XXXX) was identified on an EC2 instance running a legacy application. The application owner states that the instance cannot be patched immediately because the patch would break compatibility with a third-party API. The instance has direct internet access and handles PCI data. The CISO wants to reduce risk to an acceptable level within 48 hours. Which course of action should the analyst recommend?

A.Place the EC2 instance behind a web application firewall (WAF) and restrict inbound access to known IPs using security groups.
B.Decommission the instance and remove the legacy application from service immediately.
C.Apply the vendor-recommended patch after testing in a dev environment within two weeks.
D.Disable TLS 1.0 and enable TLS 1.2 on the instance to reduce the attack surface.
AnswerA

A WAF can mitigate the specific RCE vector, and network restrictions reduce exposure.

Why this answer

Option A is correct because placing the EC2 instance behind a WAF and restricting inbound access to known IPs via security groups provides immediate, compensating controls that reduce the attack surface for the critical RCE vulnerability. Since the instance cannot be patched within 48 hours, this network-layer isolation (WAF filtering malicious payloads, security groups limiting source IPs) aligns with the CISO's risk reduction requirement while maintaining business operations and PCI compliance.

Exam trap

CompTIA often tests the concept that compensating controls (like WAF + security group restrictions) are acceptable for immediate risk reduction when patching is not feasible, and candidates mistakenly choose a delayed patch (Option C) or an irrelevant security fix (Option D) instead of the correct network-layer mitigation.

How to eliminate wrong answers

Option B is wrong because decommissioning the instance immediately would break the legacy application and the third-party API integration, causing unacceptable business disruption and potential PCI data processing failure; the CISO asked for risk reduction, not removal. Option C is wrong because applying the patch in two weeks violates the 48-hour risk reduction mandate and does not address the immediate threat; the analyst must recommend a compensating control, not a delayed patch. Option D is wrong because disabling TLS 1.0 and enabling TLS 1.2 addresses encryption weaknesses, not the remote code execution vulnerability (CVE-2023-XXXX); it does not mitigate the specific RCE attack vector.

2
MCQmedium

A CVSS 9.8 vulnerability affects an internal service reachable only from a restricted admin subnet. Which additional analysis is most useful? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Ignore the vulnerability because it is internal
B.Change all findings to low severity
C.Environmental scoring and compensating-control review
D.Use only the vendor marketing page
AnswerC

Environmental factors help translate generic severity into local risk.

Why this answer

Option C is correct because CVSS base scores (like 9.8) do not account for network context or existing security controls. Environmental scoring (CVSS Environmental Metrics) adjusts the base score based on factors like asset criticality and network placement, while a compensating-controls review determines whether firewalls, ACLs, or network segmentation already mitigate the risk. This combined analysis provides the true residual risk for business prioritization.

Exam trap

Cisco often tests the misconception that a high CVSS base score always means urgent remediation, ignoring that environmental scoring and compensating controls can significantly lower the actual risk in a segmented network.

How to eliminate wrong answers

Option A is wrong because internal vulnerabilities can still be exploited by attackers who pivot from a compromised host or by malicious insiders; ignoring them violates the principle of defense in depth. Option B is wrong because arbitrarily changing all findings to low severity disregards the actual exploitability (CVSS 9.8 indicates remote code execution without authentication) and would misallocate security resources. Option D is wrong because vendor marketing pages often downplay risks and lack objective, technical detail; they are not a valid source for risk-based prioritization.

3
MCQmedium

A company uses a mix of Windows and Linux servers. The vulnerability scanner reports a critical remote code execution vulnerability in Apache Struts (CVE-2017-5638) on a web server located in the DMZ. This server is behind a load balancer with an identical twin server that does not appear vulnerable. The security team needs to implement immediate remediation while minimizing downtime. What should the analyst do?

A.Re-image the server with a hardened operating system
B.Implement a virtual patch via web application firewall (WAF) rules
C.Shut down the vulnerable server until a patch can be tested
D.Apply the vendor patch immediately during business hours
AnswerB

A virtual patch blocks the exploit at the network layer, providing immediate protection while allowing time for proper patching.

Why this answer

Option B is correct because implementing a virtual patch via WAF rules can immediately block exploitation attempts against CVE-2017-5638 (Apache Struts) without modifying the server or taking it offline. The WAF inspects HTTP requests for malicious Content-Type headers used in the exploit and drops them, providing protection while the identical twin server remains unaffected and the vulnerable server can be patched later with minimal downtime.

Exam trap

The trap here is that candidates may choose immediate patching (Option D) without considering the requirement to minimize downtime, or they may choose shutdown (Option C) thinking it's the safest, but the scenario explicitly prioritizes uptime over a full patch cycle.

How to eliminate wrong answers

Option A is wrong because re-imaging the server with a hardened OS does not address the specific Apache Struts vulnerability and introduces significant downtime, which contradicts the requirement to minimize downtime. Option C is wrong because shutting down the vulnerable server would cause an outage for the DMZ web service, and the load balancer would route all traffic to the twin server, potentially overloading it or exposing a single point of failure. Option D is wrong because applying the vendor patch immediately during business hours risks service disruption if the patch introduces compatibility issues or requires a restart, and the scenario explicitly calls for minimizing downtime.

4
MCQmedium

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Give all users local admin rights
B.Mark the vulnerability as fixed
C.Remove the system from future reports
D.Documented risk acceptance with compensating controls and a migration/remediation plan
AnswerD

Unsupported systems need formal exception handling, mitigation, ownership, and an exit path.

Why this answer

Option D is correct because when a legacy system cannot be patched due to vendor end-of-life, the vulnerability manager must formally document the risk acceptance, including compensating controls (e.g., network segmentation, host-based firewall rules) and a migration or remediation plan. This documentation is essential for stakeholder management to demonstrate due diligence and maintain a defensible security posture against audits or compliance reviews.

Exam trap

CompTIA often tests the misconception that removing a system from reports or marking a vulnerability as fixed is acceptable, but the correct approach is always to formally document risk acceptance with compensating controls and a migration plan.

How to eliminate wrong answers

Option A is wrong because granting all users local admin rights would increase the attack surface and eliminate any privilege boundaries, directly violating the principle of least privilege and making the system more vulnerable to exploitation. Option B is wrong because marking the vulnerability as fixed when no patch has been applied is a false declaration; vulnerabilities must be remediated, mitigated, or accepted, not falsely closed. Option C is wrong because removing the system from future reports hides the risk from stakeholders and auditors, undermining transparency and the defensibility of the vulnerability management program.

5
MCQmedium

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For business prioritization, Which recommendation gives the best risk-based order of work?

A.The incident containment playbook only
B.The firewall vendor invoice
C.The risk register with owner, justification, expiry date, and compensating controls
D.The phishing training completion list
AnswerC

Risk acceptance must be explicit, time-bound, owned, and controlled.

Why this answer

When a business unit formally accepts the risk of delaying a patch due to contractual constraints, the risk register must be updated to document the risk owner, justification, expiry date, and compensating controls. This ensures the risk is tracked, reviewed, and mitigated within an acceptable timeframe, aligning with vulnerability management and risk acceptance processes.

Exam trap

Cisco often tests the distinction between operational documents (playbooks, training logs) and governance artifacts (risk register), leading candidates to choose a familiar-sounding option like the incident containment playbook instead of the correct risk management process.

How to eliminate wrong answers

Option A is wrong because the incident containment playbook is used for active incident response, not for documenting accepted risks or deferred patches. Option B is wrong because the firewall vendor invoice is a billing document, not a risk management artifact, and has no role in tracking risk acceptance. Option D is wrong because the phishing training completion list tracks user awareness training, not risk acceptance decisions for patch delays.

6
Matchingmedium

Match each analysis technique to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Matches known patterns

Identifies deviations from baseline

Uses rules to detect suspicious behavior

Monitors actions over time

Applies mathematical models

Why these pairings

Different techniques are used in security monitoring and detection.

7
MCQmedium

An organization uses automated patch management for workstations but manual patching for servers. After a critical vulnerability is announced, the security team wants to expedite patching for servers. Which of the following is the BEST approach?

A.Test the patch in a staging environment and then deploy
B.Disable the affected services until the patch can be applied
C.Deploy the patch immediately to all servers
D.Implement virtual patching via an IPS
AnswerA

Testing ensures the patch is safe before production deployment.

Why this answer

Option A is correct because testing the patch in a staging environment before deploying to production servers validates compatibility and stability, reducing the risk of service disruption. This approach balances the urgency of a critical vulnerability with the need to maintain server availability, which is especially important given that manual patching is the standard procedure for servers. Staging allows the security team to identify any conflicts with existing configurations or dependencies before widespread deployment.

Exam trap

The trap here is that candidates may choose immediate deployment (Option C) due to the urgency of a critical vulnerability, overlooking the operational risk of untested patches in a manual patching environment, while CompTIA often tests the principle that security must be balanced with availability and change management processes.

How to eliminate wrong answers

Option B is wrong because disabling affected services may cause significant business disruption and does not address the underlying vulnerability; it is a temporary workaround that still leaves the system vulnerable if the service is re-enabled without patching. Option C is wrong because deploying the patch immediately to all servers without testing can lead to unforeseen compatibility issues, crashes, or service outages, which is particularly risky in a manual patching environment where automated rollback mechanisms may not be in place. Option D is wrong because implementing virtual patching via an IPS only provides a detection and blocking layer at the network level, but does not remediate the actual vulnerability on the server; it can be bypassed and adds latency, making it a compensating control rather than a definitive fix.

8
MCQhard

A credentialed Linux scan fails on several hosts after SSH hardening. What is the BEST next step? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Assume the hosts have no vulnerabilities
B.Review scanner account permissions, allowed authentication methods, and sudo command restrictions
C.Disable SSH on all servers
D.Run only unauthenticated scans forever
AnswerB

Credentialed scans depend on authentication and sufficient read access to inspect packages and configuration.

Why this answer

After SSH hardening, credentialed scans fail because the scanner's authentication method (e.g., password or key-based login) may be blocked, or the scanner account lacks necessary sudo privileges. Option B is correct because reviewing scanner account permissions, allowed authentication methods (e.g., ensuring public key authentication is enabled in sshd_config), and sudo command restrictions directly addresses the root cause of scan failures without compromising security.

Exam trap

Cisco often tests the misconception that after hardening, you should disable SSH entirely or assume no vulnerabilities exist, rather than troubleshooting the scanner's authentication configuration.

How to eliminate wrong answers

Option A is wrong because assuming no vulnerabilities ignores the fact that unauthenticated scans may miss critical issues, and the hosts could still be vulnerable; this is a dangerous assumption that violates vulnerability management best practices. Option C is wrong because disabling SSH on all servers would break legitimate administrative access and is an extreme, unnecessary measure that does not solve the scanning issue. Option D is wrong because running only unauthenticated scans forever would produce incomplete results, missing vulnerabilities that require authenticated access (e.g., local privilege escalation or patch-level checks), and is not a sustainable or effective strategy.

9
Multi-Selectmedium

A security analyst is reviewing the results of a vulnerability scan. The scan identified several critical vulnerabilities on a web server that were previously reported three months ago. Which TWO actions should the analyst take to improve the vulnerability management process?

Select 2 answers
A.Exclude the web server from future scans to reduce the number of false positives.
B.Increase the frequency of vulnerability scans from quarterly to monthly.
C.Implement a policy to automatically close vulnerabilities after 90 days if no remediation action is taken.
D.Schedule the next scan to occur during peak business hours to capture real-world traffic.
E.Implement virtual patching or web application firewall rules to mitigate the vulnerabilities.
AnswersB, E

More frequent scans reduce the window of exposure and ensure timely identification of issues.

Why this answer

Option B is correct because increasing scan frequency from quarterly to monthly reduces the window of exposure for newly introduced vulnerabilities. Since the same critical vulnerabilities were present for three months, more frequent scanning ensures faster detection and remediation, aligning with continuous monitoring best practices in vulnerability management.

Exam trap

CompTIA often tests the distinction between remediation (fixing the root cause) and mitigation (reducing risk without fixing), leading candidates to overlook that virtual patching is a valid interim action even though it does not permanently resolve the vulnerability.

10
MCQhard

A vulnerability management team uses OpenVAS to scan a network of 500 hosts weekly. The scans are causing network congestion and generating false positives. Which of the following would BEST reduce the impact while maintaining effective vulnerability detection?

A.Disable the vulnerable host discovery phase.
B.Increase the scan interval to monthly.
C.Use credential-based scanning to reduce false positives.
D.Schedule scans during off-peak hours and limit concurrent scans.
AnswerD

This reduces network impact while maintaining scan effectiveness.

Why this answer

Scheduling scans during off-peak hours and limiting concurrent scans directly reduces network congestion by shifting traffic to low-utilization periods and capping the number of simultaneous connections. This approach maintains the weekly scan frequency and full vulnerability coverage, unlike other options that degrade detection effectiveness.

Exam trap

CompTIA often tests the misconception that reducing false positives (credential-based scanning) solves network congestion, but the question specifically asks about reducing impact from congestion, not improving accuracy.

How to eliminate wrong answers

Option A is wrong because disabling the host discovery phase would prevent OpenVAS from identifying live hosts, causing it to skip vulnerability checks on those systems and severely reduce detection coverage. Option B is wrong because increasing the scan interval to monthly would leave hosts unassessed for three weeks, violating the weekly cadence and allowing vulnerabilities to persist longer. Option C is wrong because credential-based scanning reduces false positives by enabling authenticated checks, but it does not address network congestion; in fact, it can increase network traffic due to additional authentication exchanges.

11
MCQmedium

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Give all users local admin rights
B.Mark the vulnerability as fixed
C.Documented risk acceptance with compensating controls and a migration/remediation plan
D.Remove the system from future reports
AnswerC

Unsupported systems need formal exception handling, mitigation, ownership, and an exit path.

Why this answer

When a legacy system cannot be patched due to vendor end-of-life, the vulnerability manager should request a documented risk acceptance with compensating controls and a migration/remediation plan. This is the only option that formally acknowledges the risk, implements compensating controls (e.g., network segmentation, host-based firewall rules, or application whitelisting) to reduce exploitability, and establishes a timeline to decommission or replace the system. This aligns with the risk-based prioritization required for business decisions.

Exam trap

Cisco often tests the misconception that marking a vulnerability as 'fixed' or ignoring it is acceptable when a patch is unavailable, but the correct risk-based approach is to formally accept the risk with compensating controls and a plan to migrate away from the unsupported system.

How to eliminate wrong answers

Option A is wrong because granting all users local admin rights would drastically increase the attack surface, allowing any user to install malware, modify system files, or disable security controls, which directly contradicts vulnerability management best practices. Option B is wrong because marking the vulnerability as fixed when it is not patched is a false statement that would misrepresent the risk posture, violate compliance requirements (e.g., PCI DSS, SOX), and could lead to audit failures or exploitation.

12
MCQmedium

An analyst is reviewing scan results and finds that a critical vulnerability is present on 50 workstations. The vendor has released a patch, but the IT team is concerned about potential compatibility issues. Which of the following should the analyst recommend?

A.Remove the vulnerable software
B.Test the patch on a subset before full deployment
C.Apply a workaround from the vendor
D.Deploy the patch to all workstations immediately
AnswerB

Pilot testing identifies issues before full rollout.

Why this answer

Option B is correct because the IT team's concern about compatibility issues necessitates a controlled rollout. Testing the patch on a subset of workstations allows the analyst to validate that the patch does not break critical business applications or system functionality before full deployment, aligning with the vulnerability management principle of staged patching to minimize operational risk.

Exam trap

CompTIA often tests the misconception that immediate patching is always the best response, but the trap here is that the question explicitly highlights 'potential compatibility issues,' requiring the candidate to prioritize risk management over speed, making 'test on a subset' the correct choice over 'deploy immediately.'

How to eliminate wrong answers

Option A is wrong because removing the vulnerable software is a drastic measure that may not be feasible if the software is essential for business operations, and it does not address the root cause of the vulnerability in a way that maintains functionality. Option C is wrong because applying a workaround from the vendor is typically a temporary mitigation strategy, not a permanent fix, and may not fully eliminate the vulnerability or could introduce its own compatibility issues. Option D is wrong because deploying the patch to all workstations immediately ignores the IT team's stated concern about potential compatibility issues, which could lead to widespread system instability or application failures across the entire environment.

13
Drag & Dropmedium

Order the steps to perform a vulnerability scan using a tool like Nessus.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Vulnerability scanning typically involves defining targets, choosing a policy, configuring settings, executing, and analyzing results.

14
MCQeasy

A supplier provides a software product used in a regulated environment. The security team wants visibility into included libraries and versions. What should they request? For business prioritization, Which recommendation gives the best risk-based order of work?

A.A DNS MX record report
B.A password complexity screenshot only
C.A software bill of materials
D.A building floor plan
AnswerC

An SBOM lists software components and versions, supporting dependency risk analysis.

Why this answer

A Software Bill of Materials (SBOM) provides a formal, machine-readable inventory of all third-party and open-source components, libraries, and their versions used in a software product. In a regulated environment, this is essential for vulnerability management and compliance, as it enables the security team to quickly identify known vulnerabilities (e.g., CVEs) in specific library versions and prioritize remediation based on risk.

Exam trap

Cisco often tests the distinction between operational security artifacts (like DNS records or password screenshots) and the specific artifact needed for software composition analysis, leading candidates to choose a familiar-sounding but irrelevant option.

How to eliminate wrong answers

Option A is wrong because a DNS MX record report lists mail exchange servers for email routing, which has no relevance to tracking software libraries or versions. Option B is wrong because a password complexity screenshot only shows password policy settings, not the included libraries or their versions, and provides no visibility into software composition.

15
MCQhard

A security analyst is reviewing a report from an authenticated vulnerability scan of a Windows domain controller. The report indicates multiple critical vulnerabilities related to Active Directory. The system administrator claims the patches have been applied. Which of the following is the MOST likely cause of the discrepancy?

A.The vulnerabilities are false positives
B.The scan was run with insufficient credentials
C.The scan was run before patch installation
D.The patches require a reboot
AnswerD

Patches often need a reboot; if not rebooted, the vulnerability remains.

Why this answer

The most likely cause is that the patches require a reboot. Many critical Active Directory vulnerabilities, such as those in Kerberos or LSASS, are mitigated by patches that only take effect after a system restart. The authenticated scan detects the vulnerability because the patched files are not yet loaded into memory, even though the patches are installed on disk.

Exam trap

Cisco often tests the concept that patch installation does not equal vulnerability remediation until a reboot occurs, leading candidates to incorrectly assume false positives or credential issues.

How to eliminate wrong answers

Option A is wrong because authenticated vulnerability scans are highly accurate for known CVEs; false positives are rare when proper credentials are used, and the scan specifically targets Active Directory vulnerabilities. Option B is wrong because the scan was explicitly described as authenticated, meaning sufficient credentials were provided to access the domain controller and enumerate patch levels. Option C is wrong because the system administrator claims the patches have been applied, and the scan was run after that claim; if the scan were run before installation, the discrepancy would be expected and not a discrepancy at all.

16
MCQhard

A team says a critical vulnerability was patched. What should the vulnerability manager require before closure? For business prioritization, Which recommendation gives the best risk-based order of work?

A.A retest showing the vulnerable condition is no longer present
B.Wait one year before testing
C.Create a duplicate ticket for every asset
D.Close it immediately based on the email
AnswerA

Closure should be based on validation evidence, not only a remediation claim.

Why this answer

A retest is required to confirm that the vulnerability has been successfully remediated. Without a retest, the vulnerability manager cannot verify that the patch was applied correctly or that it did not introduce new issues. This aligns with the vulnerability management lifecycle, where closure is only granted after a validated scan or manual test shows the vulnerable condition is eliminated.

Exam trap

Cisco often tests the misconception that simply applying a patch or creating a ticket is sufficient for closure, when in fact a retest is the only way to confirm the vulnerability is truly gone.

How to eliminate wrong answers

Option B is wrong because waiting one year before testing leaves the organization exposed to the critical vulnerability for an unacceptable period, violating the principle of timely remediation and risk reduction. Option C is wrong because creating a duplicate ticket for every asset does not confirm the patch's effectiveness; it only adds administrative overhead without providing any technical verification that the vulnerability is resolved.

17
Multi-Selectmedium

Which three of the following are common challenges when conducting authenticated vulnerability scans in a large, heterogeneous network? (Choose three.)

Select 3 answers
.Credential management and rotation across different operating systems and applications
.Increased network bandwidth consumption due to deeper inspection of system configurations
.Elevated risk of account lockouts or service disruption due to incorrect credentials
.Inability to scan virtualized or cloud-based assets using authenticated methods
.Ensuring the scan account has appropriate privileges without granting excessive permissions
.Authenticated scans always provide 100% accurate vulnerability detection

Why this answer

Correct: Credential management and rotation is a major challenge due to diverse systems and the need for secure storage. Incorrect credentials can cause account lockouts or disrupt services, especially in Active Directory environments. Granting the principle of least privilege to scan accounts is critical but complex across many systems.

Incorrect: Bandwidth increase from authenticated scans is usually minimal; the main impact is on the target system's performance. Most modern scanners support authenticated scanning of virtual and cloud assets via APIs or agent-based methods. Authenticated scans greatly improve accuracy but never guarantee 100% detection due to unknown vulnerabilities or configuration nuances.

18
Multi-Selecteasy

A company is implementing a vulnerability management program. Which of the following are essential components of a vulnerability management lifecycle? (Choose three.)

Select 3 answers
A.Vulnerability scanning and assessment.
B.Discovery and inventory of assets.
C.Penetration testing on all systems.
D.Remediation and verification.
E.Automated patch deployment.
AnswersA, B, D

Core activity to identify vulnerabilities.

Why this answer

Vulnerability scanning and assessment is a core component of the vulnerability management lifecycle because it involves actively identifying security weaknesses in systems, applications, and network devices using tools like Nessus or Qualys. This step provides the raw data—CVEs, missing patches, misconfigurations—that drives the entire remediation process. Without regular scanning, the organization cannot maintain an accurate picture of its security posture.

Exam trap

CompTIA often tests the distinction between vulnerability scanning (continuous, automated, non-intrusive) and penetration testing (periodic, manual, intrusive) to see if candidates confuse the two as interchangeable lifecycle components.

19
MCQeasy

A company wants to automate the deployment of security patches to endpoints. Which of the following tools would BEST support this requirement?

A.Enterprise patch management tool
B.Vulnerability scanner
C.Configuration management tool
D.Security information and event management (SIEM) system
AnswerA

Tools like WSUS or SCCM automate patch deployment.

Why this answer

An enterprise patch management tool (e.g., Microsoft WSUS, SCCM, or Ivanti) is specifically designed to automate the deployment, scheduling, and reporting of security patches across endpoints. It directly addresses the requirement by pushing patches to systems based on policy, ensuring compliance, and reducing manual effort.

Exam trap

The trap here is that candidates confuse a vulnerability scanner's ability to detect missing patches with the ability to deploy them, or they overestimate a configuration management tool's patch deployment capabilities, forgetting that patch management requires specialized lifecycle features like approval workflows and rollback support.

How to eliminate wrong answers

Option B is wrong because a vulnerability scanner (e.g., Nessus, Qualys) identifies missing patches and vulnerabilities but does not deploy or automate the installation of patches; it is a detection tool, not a remediation tool. Option C is wrong because a configuration management tool (e.g., Ansible, Puppet) focuses on enforcing desired system states and configurations, but it is not purpose-built for patch deployment and lacks native patch lifecycle management features like approval workflows and rollback capabilities. Option D is wrong because a SIEM system (e.g., Splunk, ArcSight) aggregates and correlates security logs for monitoring and alerting, but it has no mechanism to deploy patches to endpoints.

20
MCQhard

A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Always sort only by CVSS base score
B.Remediate alphabetically by CVE ID
C.Prioritize the KEV/high-EPSS issue after confirming asset exposure
D.Remediate only vulnerabilities with vendor logos in the report
AnswerC

Known exploitation and likelihood can outweigh base CVSS in risk-based prioritization.

Why this answer

Option C is correct because it combines external threat intelligence (CISA KEV and EPSS) with internal context (asset exposure) to prioritize a medium-severity vulnerability that is actively exploited and has a high probability of exploitation. This approach aligns with the NIST framework for risk-based vulnerability management, which emphasizes that not all high-CVSS vulnerabilities are exploitable in a given environment, while lower-scored vulnerabilities in KEV pose immediate risk.

Exam trap

Cisco often tests the misconception that CVSS base score alone determines priority, but the trap here is that candidates overlook the criticality of threat intelligence (KEV and EPSS) and environmental context, leading them to choose a high-CVSS-only approach despite non-exploitability.

How to eliminate wrong answers

Option A is wrong because sorting solely by CVSS base score ignores environmental context and threat intelligence; a high-CVSS vulnerability that is not exploitable in the environment wastes remediation resources, while a medium-CVSS vulnerability in CISA KEV with high EPSS represents active risk. Option B is wrong because remediating alphabetically by CVE ID is arbitrary and has no correlation with exploitability, asset criticality, or threat intelligence; it would treat a low-risk CVE the same as a critical actively exploited one.

21
MCQeasy

A penetration testing team has completed an internal assessment and provided a report with several high-risk findings. One finding indicates that a web application is vulnerable to SQL injection. The application is used by external customers to submit orders. The development team has reviewed the finding and states that it will take three weeks to fix the code and deploy a patch. The security operations center (SOC) has observed increased scanning activity targeting the application's IP address from external sources. The company's risk tolerance for web application vulnerabilities is low. Which of the following should the analyst recommend as the immediate next step?

A.Deploy a web application firewall (WAF) with rules to block SQL injection attempts.
B.Increase logging and monitoring for SQL injection attempts.
C.Disable the web application until the patch is deployed.
D.Request the development team to expedite the patch within one week.
AnswerA

Provides immediate protection via virtual patching.

Why this answer

Deploying a WAF with rules to block SQL injection attempts is the immediate next step because it provides a virtual patch that mitigates the vulnerability while the development team works on the permanent code fix. Given the low risk tolerance and active external scanning, this reduces the attack surface without taking the application offline, which would disrupt customer order submissions.

Exam trap

The trap here is that candidates may choose to disable the application (Option C) thinking it is the safest approach, but Cisco tests the balance between security and business continuity, where a compensating control like a WAF is the preferred immediate step when a patch is not immediately available.

How to eliminate wrong answers

Option B is wrong because increasing logging and monitoring does not actively block SQL injection attempts; it only detects them after the fact, which is insufficient given the low risk tolerance and active scanning. Option C is wrong because disabling the web application would cause immediate business disruption for external customers submitting orders, which is not necessary when a WAF can provide temporary protection. Option D is wrong because requesting the development team to expedite the patch within one week ignores the reality that the fix requires three weeks; rushing could introduce new vulnerabilities or incomplete fixes, and it does not address the immediate threat from active scanning.

22
MCQmedium

A CVSS 9.8 vulnerability affects an internal service reachable only from a restricted admin subnet. Which additional analysis is most useful? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Change all findings to low severity
B.Ignore the vulnerability because it is internal
C.Environmental scoring and compensating-control review
D.Use only the vendor marketing page
AnswerC

Environmental factors help translate generic severity into local risk.

Why this answer

Option C is correct because CVSS 9.8 indicates a critical base score, but the actual risk depends on the environment. An environmental score (CVSS v3.1 Environmental Metric Group) adjusts the base score based on modified impact metrics, while a compensating-control review evaluates whether existing controls (e.g., network ACLs, host-based firewalls, or IDS/IPS) reduce exploitability. This analysis prevents unnecessary remediation effort and aligns with the principle of risk-based vulnerability management.

Exam trap

Cisco often tests the misconception that a high CVSS base score always demands immediate patching, but the trap here is that environmental scoring and compensating controls can lower the effective risk, making a risk-based analysis more useful than blindly applying the base score.

How to eliminate wrong answers

Option A is wrong because changing all findings to low severity disregards the CVSS base score and the potential for lateral movement or privilege escalation, violating the NIST SP 800-40 guidance on prioritizing vulnerabilities. Option B is wrong because ignoring the vulnerability assumes internal services are safe, but a restricted subnet does not eliminate risk from insider threats, credential theft, or misconfiguration that could expose the service. Option D is wrong because vendor marketing pages are promotional and lack objective, standardized severity data; relying on them would violate the CVSS scoring methodology and introduce bias.

23
MCQmedium

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.The firewall vendor invoice
B.The risk register with owner, justification, expiry date, and compensating controls
C.The incident containment playbook only
D.The phishing training completion list
AnswerB

Risk acceptance must be explicit, time-bound, owned, and controlled.

Why this answer

When a business unit formally accepts the risk of delaying a patch, the risk must be documented in the risk register with an owner, justification, an expiry date, and compensating controls. This ensures the risk is tracked, reviewed, and mitigated within an acceptable timeframe, which is a core requirement of vulnerability management governance.

Exam trap

Cisco often tests the distinction between operational documentation (risk register) and reactive documentation (incident playbook), tricking candidates into choosing the incident playbook because they confuse risk acceptance with incident response.

How to eliminate wrong answers

Option A is wrong because the firewall vendor invoice is a financial document unrelated to risk acceptance or vulnerability management decisions. Option C is wrong because the incident containment playbook is used for active security incidents, not for documenting accepted risks from delayed patching. Option D is wrong because the phishing training completion list tracks user awareness training, not the formal acceptance of a specific vulnerability risk.

24
MCQhard

A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Remediate only vulnerabilities with vendor logos in the report
B.Always sort only by CVSS base score
C.Remediate alphabetically by CVE ID
D.Prioritize the KEV/high-EPSS issue after confirming asset exposure
AnswerD

Known exploitation and likelihood can outweigh base CVSS in risk-based prioritization.

Why this answer

Option D is correct because the CISA Known Exploited Vulnerabilities (KEV) catalog combined with a high Exploit Prediction Scoring System (EPSS) score indicates active exploitation in the wild, which is a higher priority than static CVSS base scores. The analyst must first confirm that the asset is exposed in the environment before recommending remediation, as a vulnerability that is not exploitable due to compensating controls or network segmentation should not be prioritized. This approach aligns with the NIST SP 800-40 risk-based prioritization framework, which emphasizes threat intelligence over severity alone.

Exam trap

Cisco often tests the misconception that CVSS base score alone determines priority, when in reality threat intelligence (KEV, EPSS) and environmental context (asset exposure, compensating controls) are more critical for effective vulnerability management.

How to eliminate wrong answers

Option A is wrong because vendor logos in a report do not correlate with exploitability or risk; they are marketing artifacts and ignoring vulnerabilities without logos would leave critical unpatched issues. Option B is wrong because sorting solely by CVSS base score ignores environmental context, exploitability (EPSS), and active exploitation (KEV), leading to misallocation of resources on high-severity but non-exploitable findings. Option C is wrong because sorting alphabetically by CVE ID is arbitrary and has no relationship to risk, exploitability, or business impact; it would treat a low-severity CVE the same as a critical one.

25
MCQeasy

A vulnerability scan identifies a critical unauthenticated remote-code-execution flaw on an internet-facing VPN appliance that is actively exploited in the wild. Several internal-only medium vulnerabilities are also present. What should be remediated first? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Remediate only low-risk internal findings to improve closure rate
B.Patch or mitigate the VPN appliance immediately and verify exposure is removed
C.Start with the oldest medium vulnerability
D.Defer all remediation until the monthly patch window
AnswerB

Internet exposure plus active exploitation makes this the highest-risk item despite other findings.

Why this answer

Option B is correct because the vulnerability is a critical unauthenticated remote-code-execution (RCE) flaw on an internet-facing VPN appliance that is actively exploited in the wild. According to the CVSS scoring system, such a flaw (typically CVSS 9.0–10.0) poses an immediate and severe risk to the organization's perimeter, and remediation must be prioritized over all internal-only medium vulnerabilities. The principle of risk-based prioritization dictates that externally exploitable, actively weaponized vulnerabilities must be patched or mitigated first to prevent a likely breach.

Exam trap

The trap here is that candidates may mistakenly prioritize remediation by age or internal-only status, failing to recognize that a critical, actively exploited, internet-facing RCE flaw demands immediate action over any medium or low-risk internal findings, regardless of their age or quantity.

How to eliminate wrong answers

Option A is wrong because remediating only low-risk internal findings ignores the critical external RCE flaw, leaving the organization exposed to active exploitation and potential full compromise of the network perimeter. Option C is wrong because starting with the oldest medium vulnerability disregards the severity and exploitability of the critical flaw; age alone does not determine risk, and a medium internal vulnerability poses far less immediate danger than an actively exploited RCE on an internet-facing device. Option D is wrong because deferring all remediation until the monthly patch window would leave the critical VPN vulnerability unaddressed for weeks, during which attackers could easily exploit it to gain unauthorized access, violating the principle of timely remediation for critical, actively exploited flaws.

26
MCQeasy

A security analyst has identified a large number of false positives in a vulnerability scan report. Which of the following is the BEST way to reduce false positives in future scans?

A.Manually verify each vulnerability before reporting
B.Increase the frequency of vulnerability scans
C.Exclude the false positives from the report
D.Tune the vulnerability scanner's configuration
AnswerD

Proper tuning reduces false positives by adjusting detection parameters.

Why this answer

Tuning the vulnerability scanner's configuration (option D) is the best approach because it allows the analyst to adjust scan parameters such as credential settings, plugin thresholds, and network timeouts to match the target environment. This reduces false positives by ensuring the scanner accurately identifies real vulnerabilities rather than reporting benign deviations or configuration mismatches. For example, enabling authenticated scans with valid credentials eliminates many false positives related to missing patches that are actually installed.

Exam trap

CompTIA often tests the misconception that manual verification or exclusion is a valid long-term fix, but the correct answer always involves adjusting the scanner's configuration to prevent false positives at the source.

How to eliminate wrong answers

Option A is wrong because manually verifying each vulnerability before reporting is a post-scan validation step, not a method to reduce false positives in future scans; it adds overhead without addressing the root cause of scanner misconfiguration. Option B is wrong because increasing scan frequency does not improve accuracy—it only repeats the same flawed scan logic more often, potentially generating even more false positives. Option C is wrong because excluding false positives from the report merely hides the problem without fixing the scanner's detection rules or tuning parameters, leading to continued inaccurate results.

27
MCQhard

A credentialed Linux scan fails on several hosts after SSH hardening. What is the BEST next step? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Assume the hosts have no vulnerabilities
B.Review scanner account permissions, allowed authentication methods, and sudo command restrictions
C.Run only unauthenticated scans forever
D.Disable SSH on all servers
AnswerB

Credentialed scans depend on authentication and sufficient read access to inspect packages and configuration.

Why this answer

After SSH hardening, the credentialed scan fails because the scanner's authentication methods (e.g., password, public key) or sudo commands may be restricted. Option B is correct because reviewing scanner account permissions, allowed authentication methods, and sudo command restrictions directly addresses the root cause—ensuring the scanner can authenticate and execute privileged commands without bypassing security controls.

Exam trap

Cisco often tests the misconception that after hardening, you should revert to unauthenticated scans or ignore the issue, rather than systematically adjusting scanner credentials and permissions to maintain authenticated scanning without weakening security.

How to eliminate wrong answers

Option A is wrong because assuming hosts have no vulnerabilities ignores the purpose of vulnerability scanning and could leave critical unpatched flaws undetected, violating risk management principles. Option C is wrong because running only unauthenticated scans forever hides deep vulnerabilities (e.g., missing patches, misconfigurations) that require authenticated access to detect, thus failing to provide comprehensive visibility.

28
MCQeasy

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Disable all application authentication
B.Treat absence of findings as proof of security
C.Reduce the scan to only the landing page
D.Authenticated scanning with a test account and session handling
AnswerD

DAST needs valid authentication and session management to test protected functionality.

Why this answer

DAST scanners require authenticated access to crawl and test pages behind login forms. By configuring authenticated scanning with a test account and session handling (e.g., using cookies or OAuth tokens), the scanner can traverse protected routes and detect vulnerabilities such as SQL injection or XSS on authenticated pages. This directly addresses the stated weakness without masking risk.

Exam trap

CompTIA often tests the misconception that a DAST scanner's lack of findings on public pages implies the entire application is secure, when in fact the scanner never accessed the authenticated areas, so the risk remains hidden.

How to eliminate wrong answers

Option A is wrong because disabling all application authentication would remove the security control entirely, exposing the application to unauthorized access and violating security best practices. Option B is wrong because treating absence of findings as proof of security is a false sense of security; the scanner simply did not test the authenticated pages, so no conclusion about their security can be drawn. Option C is wrong because reducing the scan to only the landing page ignores the majority of the application's attack surface, leaving authenticated pages untested and vulnerabilities undiscovered.

29
MCQeasy

A vulnerability scan identifies a critical unauthenticated remote-code-execution flaw on an internet-facing VPN appliance that is actively exploited in the wild. Several internal-only medium vulnerabilities are also present. What should be remediated first? For validation, Which action should be taken before closing or downgrading the finding?

A.Patch or mitigate the VPN appliance immediately and verify exposure is removed
B.Start with the oldest medium vulnerability
C.Remediate only low-risk internal findings to improve closure rate
D.Defer all remediation until the monthly patch window
AnswerA

Internet exposure plus active exploitation makes this the highest-risk item despite other findings.

Why this answer

The critical unauthenticated remote-code-execution (RCE) vulnerability on the internet-facing VPN appliance poses an immediate and active threat, as it is being exploited in the wild. According to the CVSS scoring system and industry best practices (e.g., PCI DSS, NIST SP 800-115), vulnerabilities that are remotely exploitable, have high impact, and are actively exploited must be prioritized over internal-only medium-severity issues. Remediating this flaw first reduces the attack surface exposed to the internet and prevents potential compromise of the entire network.

Exam trap

Cisco often tests the candidate's ability to apply risk-based prioritization over a simple 'patch oldest first' or 'close low-hanging fruit' mentality, trapping those who ignore the criticality of actively exploited, internet-facing vulnerabilities.

How to eliminate wrong answers

Option B is wrong because prioritizing the oldest medium vulnerability ignores the risk severity and exploitability; a critical RCE on an internet-facing device should always take precedence over internal medium issues, regardless of age. Option C is wrong because remediating only low-risk internal findings to improve closure rate is a metric-driven approach that neglects the most dangerous threat; this would leave a critical, actively exploited vulnerability unpatched, which could lead to a full network breach.

30
Multi-Selectmedium

Which sources improve asset criticality context for vulnerability prioritization? (Choose two.)

Select 2 answers
A.CMDB or asset inventory with business service mapping
B.Random public IP reputation of unrelated hosts
C.Data classification or sensitivity labels for hosted data
D.Employee lunch preferences
AnswersA, C

Service mapping links technical assets to business impact.

Why this answer

A CMDB or asset inventory with business service mapping provides direct context about which assets support critical business functions, enabling prioritization of vulnerabilities based on potential business impact. This aligns with the FAIR model for risk quantification, where asset criticality is a key factor in determining the likelihood and magnitude of loss.

Exam trap

Cisco often tests the distinction between contextual relevance (like business impact and data sensitivity) versus generic threat intelligence (like IP reputation) that lacks direct linkage to the asset's role or data value.

31
MCQmedium

During a vulnerability assessment, a security analyst discovers that a network device is running an outdated firmware version with known exploits. The device is critical to production and cannot be rebooted during business hours. Which of the following is the BEST approach to remediate this vulnerability?

A.Schedule the firmware upgrade during the next maintenance window
B.Apply the firmware patch immediately without rebooting
C.Implement a virtual patch via the IDS/IPS until a full patch is possible
D.Request a hotfix from the vendor that does not require a reboot
AnswerA

This balances security with operational continuity.

Why this answer

Option A is correct because scheduling the firmware upgrade during the next maintenance window aligns with change management best practices for critical production devices that cannot tolerate downtime during business hours. This approach ensures the vulnerability is remediated in a controlled manner, minimizing operational risk while still addressing the known exploit.

Exam trap

CompTIA often tests the distinction between remediation (removing the vulnerability) and mitigation (reducing risk without removal), leading candidates to mistakenly choose a compensating control like virtual patching instead of scheduling a proper firmware upgrade.

How to eliminate wrong answers

Option B is wrong because applying a firmware patch without rebooting is typically not feasible; most firmware updates require a system reboot to load the new code into memory and complete the installation. Option C is wrong because implementing a virtual patch via IDS/IPS is a compensating control that only detects or blocks exploit attempts, not a remediation that removes the underlying vulnerability. Option D is wrong because requesting a hotfix that does not require a reboot is unrealistic for firmware-level vulnerabilities; firmware updates inherently involve low-level code changes that necessitate a restart to take effect.

32
MCQhard

A security analyst is reviewing the output of a vulnerability scan and notices that a critical vulnerability on a Linux server has been reported as 'Confirmed' by the scanner. The analyst checks the system and finds that the actual vulnerability does not exist because a kernel upgrade was applied via a yum update but the scanner did not detect the change. Which of the following is the MOST likely cause?

A.The vulnerability database was not updated before the scan
B.The scanner is configured to alert on missing patches only
C.The scanner was not configured with proper credentials for authenticated scanning
D.The scanner's plugins for Linux are outdated
AnswerC

Without credentials, the scanner may detect outdated service banners even if patched.

Why this answer

Option C is correct because the vulnerability scanner reported a 'Confirmed' critical vulnerability that no longer exists after a kernel upgrade via yum. This indicates the scanner performed an unauthenticated scan, relying on banner grabbing or service version detection, which cannot verify the actual installed kernel version. With proper credentials (e.g., SSH keys or a service account), the scanner would have performed an authenticated scan, queried the package manager (rpm -q kernel), and correctly identified that the kernel was updated, thus not flagging the vulnerability.

Exam trap

CompTIA often tests the distinction between authenticated and unauthenticated scanning, and the trap here is that candidates assume a 'Confirmed' status means the scanner has verified the vulnerability through deep inspection, when in fact it may only indicate that the scanner's unauthenticated checks matched a signature, not that it has actual system-level access to confirm the patch state.

How to eliminate wrong answers

Option A is wrong because the vulnerability database being outdated would cause the scanner to miss new vulnerabilities or report false negatives, not to falsely confirm a vulnerability that was already patched. Option B is wrong because the scanner is configured to alert on missing patches only; this would mean it only reports vulnerabilities when patches are absent, but here the patch was applied, so the scanner should not have alerted at all. Option D is wrong because outdated plugins for Linux would likely cause the scanner to miss vulnerabilities or report incorrect severity, but the core issue is the lack of authenticated access to verify the kernel version, not the plugin version.

33
MCQeasy

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Disable all application authentication
B.Treat absence of findings as proof of security
C.Authenticated scanning with a test account and session handling
D.Reduce the scan to only the landing page
AnswerC

DAST needs valid authentication and session management to test protected functionality.

Why this answer

DAST scanners cannot access authenticated pages without valid session credentials. Configuring authenticated scanning with a test account and proper session handling (e.g., via cookies, tokens, or form-based login) allows the scanner to crawl and test behind the login wall, ensuring coverage of all application states. This is the standard remediation for the described limitation.

Exam trap

The trap here is that candidates may assume any authentication bypass or disabling security is acceptable, when the correct approach is to provide the scanner with legitimate credentials and session management to test authenticated areas safely.

How to eliminate wrong answers

Option A is wrong because disabling authentication eliminates the security boundary entirely, which is not a valid remediation and would expose the application to real-world attacks. Option B is wrong because absence of findings from an unauthenticated scan does not prove security; it only indicates that the scanner could not reach protected areas, leaving vulnerabilities hidden. Option D is wrong because reducing the scan to only the landing page ignores all other pages and functionality, defeating the purpose of a comprehensive DAST assessment.

34
MCQeasy

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Treat absence of findings as proof of security
B.Authenticated scanning with a test account and session handling
C.Reduce the scan to only the landing page
D.Disable all application authentication
AnswerB

DAST needs valid authentication and session management to test protected functionality.

Why this answer

DAST scanners require authenticated sessions to crawl and test pages behind login forms. Without session handling (e.g., cookies, tokens), the scanner only sees public content. Configuring authenticated scanning with a test account and proper session management (e.g., OWASP ZAP's session handling rules or Burp Suite's authentication pre-script) allows the scanner to maintain state and reach restricted pages, enabling full coverage of the application's attack surface.

Exam trap

The trap here is that candidates may think 'no findings' means the application is secure, but Cisco tests the understanding that DAST results are only as good as the scope of pages the scanner can actually reach, and that authenticated scanning is mandatory for comprehensive testing.

How to eliminate wrong answers

Option A is wrong because treating an absence of findings as proof of security ignores the possibility that unauthenticated scans miss critical vulnerabilities in protected areas, leading to a false sense of security. Option C is wrong because reducing the scan to only the landing page deliberately avoids testing the authenticated portions of the application, which is the opposite of the required action and would leave high-risk areas untested.

35
MCQmedium

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For validation, Which action should be taken before closing or downgrading the finding?

A.Wait for the next quarterly review
B.Rotate database administrator passwords only
C.Delete all audit logs to reduce liability
D.Restrict public access and determine whether sensitive data was accessed
AnswerD

The priority is exposure containment and impact assessment.

Why this answer

Option D is correct because the immediate priority is to restrict public read access to the storage bucket to prevent further unauthorized exposure, then determine whether sensitive customer data was accessed by reviewing access logs (e.g., AWS CloudTrail or S3 server access logs). This aligns with incident response best practices: contain the threat first, then assess impact. Without confirming data access, the team cannot properly scope the breach or notify affected parties.

Exam trap

CompTIA often tests the misconception that rotating credentials (Option B) is the primary fix for a misconfiguration, when the actual first step is to remove the public access and investigate exposure.

How to eliminate wrong answers

Option A is wrong because waiting for the next quarterly review violates incident response principles; a public bucket with customer exports requires immediate containment, not delayed action. Option B is wrong because rotating database administrator passwords does not address the root cause—public read access on a storage bucket—and is irrelevant to the misconfiguration. Option C is wrong because deleting audit logs destroys forensic evidence needed to determine if sensitive data was accessed, which could violate compliance requirements (e.g., GDPR, HIPAA) and hinder investigation.

36
MCQmedium

A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For validation, Which action should be taken before closing or downgrading the finding?

A.Run authenticated scans using least-privilege scanner credentials
B.Trust the unauthenticated result as complete
C.Disable host firewalls permanently
D.Increase only the port range
AnswerA

Authenticated scanning gives the scanner access to installed software and patch state, improving accuracy.

Why this answer

Unauthenticated scans rely on network-level probes and can only detect vulnerabilities visible without credentials, such as open ports or banner information. Patch status for Windows servers requires authenticated access to query the registry, WMI, or the Windows Update API. Using least-privilege scanner credentials enables the scanner to perform authenticated checks, revealing missing patches that were previously hidden.

Exam trap

Cisco often tests the misconception that unauthenticated scans are sufficient for vulnerability management, when in fact they miss the majority of patch-related findings that require credentialed access.

How to eliminate wrong answers

Option B is wrong because trusting an unauthenticated result as complete ignores the fundamental limitation that uncredentialed scans cannot assess patch levels, leading to a false sense of security. Option C is wrong because permanently disabling host firewalls would expose the servers to network-based attacks and violates the principle of defense in depth; firewall rules should be configured to allow scanner traffic, not disabled entirely.

37
MCQeasy

A supplier provides a software product used in a regulated environment. The security team wants visibility into included libraries and versions. What should they request? For validation, Which action should be taken before closing or downgrading the finding?

A.A building floor plan
B.A password complexity screenshot only
C.A software bill of materials
D.A DNS MX record report
AnswerC

An SBOM lists software components and versions, supporting dependency risk analysis.

Why this answer

A Software Bill of Materials (SBOM) is the correct request because it provides a formal, machine-readable inventory of all included libraries, components, and their versions used in the software product. In a regulated environment (e.g., healthcare, finance), this visibility is essential for vulnerability management, license compliance, and supply chain risk assessment, as mandated by frameworks like NIST SP 800-53 or FDA premarket cybersecurity guidance.

Exam trap

The trap here is that candidates may confuse a security configuration artifact (like a password policy screenshot) with a comprehensive software inventory document, failing to recognize that only an SBOM provides the library-level visibility required for supply chain risk management in regulated environments.

How to eliminate wrong answers

Option A is wrong because a building floor plan is a physical security artifact that has no relevance to software composition, library versions, or vulnerability management in a regulated environment. Option B is wrong because a password complexity screenshot only verifies a single authentication policy setting; it provides no insight into the software's included libraries, their versions, or supply chain risks, which is the core requirement of the question.

38
MCQmedium

A CVSS 9.8 vulnerability affects an internal service reachable only from a restricted admin subnet. Which additional analysis is most useful? For validation, Which action should be taken before closing or downgrading the finding?

A.Use only the vendor marketing page
B.Environmental scoring and compensating-control review
C.Change all findings to low severity
D.Ignore the vulnerability because it is internal
AnswerB

Environmental factors help translate generic severity into local risk.

Why this answer

Option B is correct because CVSS base scores assume a default environment, but an internal service restricted to a trusted admin subnet may have a lower actual risk. Environmental scoring (CVSS v3.1 environmental metrics) adjusts the base score for factors like modified attack vector and modified confidentiality/integrity/availability requirements, while a compensating-control review verifies whether existing controls (e.g., network ACLs, host-based firewalls, VPNs) effectively mitigate the vulnerability. This combined analysis determines if the finding can be downgraded or closed without introducing residual risk.

Exam trap

Cisco often tests the misconception that a high CVSS base score automatically mandates immediate remediation, without considering environmental modifiers or existing compensating controls that can lower the effective risk.

How to eliminate wrong answers

Option A is wrong because vendor marketing pages are promotional and lack objective, technical details about exploitability, attack surface, or compensating controls; they do not provide the environmental context or control validation needed for risk-based decision-making. Option C is wrong because changing all findings to low severity without performing an environmental scoring and compensating-control review is arbitrary and violates the principle of risk-based vulnerability management; it ignores the actual exploitability and impact within the specific deployment environment.

39
Multi-Selectmedium

Which measures help reduce recurring vulnerabilities from unsupported software? (Choose two.)

Select 2 answers
A.Lifecycle tracking for end-of-support dates
B.Permanent acceptance without review
C.Migration plan with business owner accountability
D.Changing scanner colours to red
AnswersA, C

Lifecycle visibility enables proactive replacement.

Why this answer

Lifecycle tracking for end-of-support dates (Option A) is correct because it enables organizations to proactively identify when software will no longer receive security patches. By monitoring these dates, vulnerability management teams can schedule migrations or upgrades before the vendor ceases support, directly reducing the window of exposure to unpatched vulnerabilities. This aligns with the NIST SP 800-53 CM-8 control for configuration management and asset lifecycle tracking.

Exam trap

Cisco often tests the misconception that 'permanent acceptance' is a valid risk treatment for unsupported software, when in fact it violates the principle of continuous vulnerability management and is never an acceptable long-term strategy without compensating controls.

40
MCQmedium

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.The risk register with owner, justification, expiry date, and compensating controls
B.The firewall vendor invoice
C.The incident containment playbook only
D.The phishing training completion list
AnswerA

Risk acceptance must be explicit, time-bound, owned, and controlled.

Why this answer

When a business unit formally accepts the risk of delaying a patch, the risk register must be updated with the owner, justification, expiry date, and compensating controls. This documentation ensures the decision is defensible during audits or incidents, as it captures the explicit risk acceptance and the temporary controls in place until the patch is applied.

Exam trap

Cisco often tests the misconception that any documentation (like an invoice or playbook) can substitute for the formal risk register entry required to track accepted risks and compensating controls.

How to eliminate wrong answers

Option B is wrong because a firewall vendor invoice is a procurement document, not a stakeholder management or risk acceptance record; it does not capture the rationale, owner, or compensating controls for a delayed patch. Option C is wrong because the incident containment playbook only outlines steps to respond to an active incident, not the proactive risk acceptance and compensating controls needed to keep the program defensible.

41
MCQeasy

A supplier provides a software product used in a regulated environment. The security team wants visibility into included libraries and versions. What should they request? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.A DNS MX record report
B.A software bill of materials
C.A building floor plan
D.A password complexity screenshot only
AnswerB

An SBOM lists software components and versions, supporting dependency risk analysis.

Why this answer

A software bill of materials (SBOM) is a formal, machine-readable inventory of all components, libraries, and versions used in a software product. In a regulated environment, an SBOM provides the security team with the visibility needed to assess vulnerabilities, track supply chain risks, and ensure compliance with standards like NIST SP 800-53 or FDA guidance. Requesting an SBOM directly addresses the need for library and version transparency.

Exam trap

Cisco often tests the distinction between operational artifacts (like DNS records or floor plans) and security-specific artifacts (like SBOMs), trapping candidates who confuse general IT documentation with targeted vulnerability management tools.

How to eliminate wrong answers

Option A is wrong because a DNS MX record report lists mail exchange servers for a domain and has no relation to software libraries or versions; it is a network infrastructure query, not a software composition artifact. Option C is wrong because a building floor plan is a physical security document showing facility layouts and has no relevance to software component visibility or vulnerability management.

42
Multi-Selecthard

A scanner reports a critical issue on a network device. Which steps help validate the finding before closure? (Choose two.)

Select 2 answers
A.Suppress all network-device findings permanently
B.Close it because the device is expensive
C.Confirm the firmware or software version on the device
D.Check vendor advisory applicability and configuration requirements
AnswersC, D

Version evidence verifies whether the vulnerable build is present.

Why this answer

Option C is correct because confirming the firmware or software version on the device is a critical validation step. The scanner may report a vulnerability based on version detection, but the actual installed version could differ due to patching or backporting. Verifying the exact version ensures the finding is not a false positive before closure.

Exam trap

CompTIA often tests the misconception that scanner findings are always accurate and can be closed without manual verification, leading candidates to skip validation steps like version confirmation and vendor advisory checks.

43
MCQeasy

A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Ignore all base-image vulnerabilities
B.Ship the image and document nothing
C.Only rename the image tag
D.Validate exploitability and rebuild from a patched base image where feasible
AnswerD

Container findings should consider reachability, but rebuilding from a patched base reduces inherited risk.

Why this answer

Option D is correct because it follows a defensible vulnerability management process: first validate whether the OpenSSL CVE is actually exploitable in the context of the application (e.g., the vulnerable binary may be present but never executed), then rebuild the image from a patched base image to eliminate the risk entirely. This balances security with operational pragmatism, ensuring the pipeline remains secure while avoiding unnecessary delays.

Exam trap

Cisco often tests the misconception that 'not used' means 'no risk'—candidates may choose to ignore or rename the image, but the correct approach is to validate exploitability and then remediate by rebuilding from a patched base image.

How to eliminate wrong answers

Option A is wrong because ignoring all base-image vulnerabilities violates security policy and leaves the organization exposed to known exploits, even if the vulnerable binary is unused—attackers could still leverage it via other paths. Option B is wrong because shipping the image without documentation creates an audit trail gap; if the CVE is later exploited, there is no evidence of a risk-based decision, making the program indefensible. Option C is wrong because renaming the image tag does not change the underlying vulnerable binary—it only obscures the issue, and vulnerability scanners will still flag the same CVE based on the image digest.

44
MCQeasy

A supplier provides a software product used in a regulated environment. The security team wants visibility into included libraries and versions. What should they request? For control selection, Which control best addresses the stated weakness without hiding risk?

A.A DNS MX record report
B.A software bill of materials
C.A building floor plan
D.A password complexity screenshot only
AnswerB

An SBOM lists software components and versions, supporting dependency risk analysis.

Why this answer

A software bill of materials (SBOM) provides a formal, machine-readable inventory of all components, libraries, and versions used in a software product. This directly gives the security team the visibility needed for vulnerability management in a regulated environment, aligning with frameworks like NIST SP 800-53 and Executive Order 14028.

Exam trap

Cisco often tests the distinction between operational artifacts (like DNS records) and software composition artifacts (like SBOMs), trapping candidates who confuse network visibility with application-level visibility.

How to eliminate wrong answers

Option A is wrong because a DNS MX record report only reveals mail exchange server configurations, not software libraries or versions. Option C is wrong because a building floor plan describes physical layout, not software composition. Option D is wrong because a password complexity screenshot only shows password policy settings, not the included libraries and their versions.

45
Multi-Selecthard

A vulnerability scan of a segmented OT network must avoid disrupting fragile devices. Which controls are appropriate? (Choose two.)

Select 2 answers
A.Use approved safe-check profiles or passive discovery where required
B.Scan from random external hosts
C.Run aggressive exploit checks without approval
D.Coordinate test windows and scope with OT owners
AnswersA, D

Non-intrusive methods reduce disruption risk.

Why this answer

Option A is correct because safe-check profiles (e.g., Nessus 'safe checks' mode) disable active exploits and denial-of-service tests, while passive discovery (e.g., using NetFlow or SNMP traps) never sends packets to fragile OT devices. This prevents disruption to legacy PLCs, RTUs, or other industrial controllers that may crash under aggressive scanning.

Exam trap

Cisco often tests the misconception that scanning from random external hosts improves stealth or coverage, but in OT segmentation, the priority is avoiding disruption—not hiding the scan source.

46
MCQeasy

Which of the following is the BEST method to prioritize vulnerabilities for remediation?

A.By asset criticality and exploitability
B.By availability of patch
C.By CVSS score
D.By number of affected hosts
AnswerA

This combines impact and likelihood, reflecting true risk.

Why this answer

Option B is correct because prioritizing by asset criticality and exploitability (risk) is more effective than any single factor. CVSS alone (A) is insufficient; number of hosts (C) and patch availability (D) are secondary.

47
Multi-Selecthard

An application has a high CVSS vulnerability, but a WAF rule blocks known exploit payloads. What should the team still do? (Choose two.)

Select 2 answers
A.Validate the WAF rule against bypass and false-positive risk
B.Remove the application from vulnerability scans
C.Mark the vulnerability as permanently remediated
D.Track the vulnerability until the underlying flaw is fixed
AnswersA, D

Compensating controls need effectiveness testing.

Why this answer

A WAF rule blocking known exploit payloads does not guarantee complete protection, as attackers can craft bypass techniques such as encoding, parameter pollution, or using different HTTP methods. Validating the rule against bypass and false-positive risks ensures the WAF is effective without disrupting legitimate traffic, which is critical for maintaining both security and availability.

Exam trap

Cisco often tests the misconception that a compensating control like a WAF rule is equivalent to a permanent fix, leading candidates to incorrectly mark the vulnerability as remediated without addressing the root cause in the application code.

48
Multi-Selecthard

A vulnerability appears critical but the vulnerable feature is disabled. What should the analyst document before downgrading? (Choose two.)

Select 2 answers
A.Approval and rationale for the severity change
B.Deletion of the original scanner finding
C.The analyst's personal preference for fewer tickets
D.Evidence that the affected feature or code path is not reachable
AnswersA, D

Governed downgrades need documented justification.

Why this answer

Option A is correct because when a vulnerability is critical but the vulnerable feature is disabled, the analyst must document the approval and rationale for the severity change to maintain an accurate risk register and audit trail. This ensures that the decision to downgrade is justified, traceable, and compliant with organizational change management policies, preventing arbitrary adjustments that could obscure true risk posture.

Exam trap

Cisco often tests the misconception that deleting or ignoring a scanner finding is acceptable when a vulnerability is not exploitable, but the correct approach is to document the rationale and obtain approval for a severity downgrade while preserving the finding for audit and compliance purposes.

49
MCQhard

A team says a critical vulnerability was patched. What should the vulnerability manager require before closure? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Wait one year before testing
B.Close it immediately based on the email
C.Create a duplicate ticket for every asset
D.A retest showing the vulnerable condition is no longer present
AnswerD

Closure should be based on validation evidence, not only a remediation claim.

Why this answer

Option D is correct because the vulnerability manager must obtain objective evidence that the vulnerability has been remediated. A retest, either automated or manual, confirms that the specific vulnerable condition (e.g., a missing patch, misconfiguration, or outdated library) is no longer present on the asset. This aligns with the NIST SP 800-115 and PCI DSS 11.3.2 requirement for verification of remediation before closure.

Exam trap

Cisco often tests the misconception that a verbal or written claim of a patch is sufficient, but the correct answer always requires technical verification via a retest or rescan.

How to eliminate wrong answers

Option A is wrong because waiting one year before testing violates the principle of timely remediation verification; vulnerabilities must be confirmed fixed promptly to prevent exploitation windows. Option B is wrong because closing based solely on an email lacks technical evidence; the vulnerability manager must verify the fix via a scan or manual check, as email can be spoofed or the patch may not have been applied correctly. Option C is wrong because creating a duplicate ticket for every asset does not verify the fix; it only duplicates administrative overhead and does not confirm the vulnerability is resolved on any asset.

50
MCQmedium

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Wait for the next quarterly review
B.Delete all audit logs to reduce liability
C.Restrict public access and determine whether sensitive data was accessed
D.Rotate database administrator passwords only
AnswerC

The priority is exposure containment and impact assessment.

Why this answer

Option C is correct because the immediate priority is to eliminate the public read access vulnerability to prevent further unauthorized data exposure. After restricting access, the team must determine whether sensitive data was accessed by reviewing access logs (e.g., AWS CloudTrail or GCP Audit Logs) to assess the scope of potential breach, which is a standard incident response step. This approach directly mitigates the weakness without concealing risk, aligning with vulnerability management best practices.

Exam trap

Cisco often tests the misconception that deleting audit logs reduces liability, but in reality, it destroys evidence and violates compliance requirements, making Option B a tempting but dangerous distractor.

How to eliminate wrong answers

Option A is wrong because waiting for the next quarterly review leaves a publicly accessible storage bucket containing customer exports exposed, violating data protection requirements and increasing the risk of a data breach. Option B is wrong because deleting audit logs to reduce liability destroys forensic evidence needed to determine if sensitive data was accessed, which is a violation of legal hold and compliance obligations (e.g., GDPR, HIPAA) and constitutes spoliation of evidence.

51
MCQhard

A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Database transaction log backups
B.Software composition analysis in the CI/CD pipeline
C.Physical badge access reviews
D.Wireless spectrum analysis
AnswerB

SCA identifies vulnerable third-party dependencies and can gate builds before release.

Why this answer

Software composition analysis (SCA) is the correct control because it automatically scans the application's dependencies against known vulnerability databases (e.g., NVD, OSS Index) to identify vulnerable open-source libraries. Integrating SCA into the CI/CD pipeline ensures vulnerabilities are caught before deployment, aligning with the 'shift left' security principle. This is the only option that directly addresses the need to find vulnerable open-source libraries at the build stage.

Exam trap

Cisco often tests the distinction between vulnerability scanning (SCA) and unrelated operational controls (backups, physical security) to see if candidates understand that each control serves a specific domain within vulnerability management.

How to eliminate wrong answers

Option A is wrong because database transaction log backups are a data recovery and integrity control, not a mechanism for identifying vulnerable open-source libraries; they do not analyze dependencies or check for known CVEs. Option C is wrong because physical badge access reviews control physical access to facilities, not software supply chain security; they have no relevance to scanning open-source libraries for vulnerabilities in a CI/CD pipeline.

52
MCQeasy

The analyst sees this alert from a vulnerability scanner. What is the MOST immediate action?

A.Report the finding to management
B.Isolate web01 from the network
C.Investigate if any exploit code exists
D.Upgrade web01 to version 2.3.4
AnswerC

Determining exploitability helps prioritize response.

Why this answer

The correct answer is C because the most immediate action when a vulnerability scanner alert is received is to investigate whether any exploit code exists for the identified vulnerability. This determines the urgency and risk level: if exploit code is publicly available, the vulnerability is likely to be actively targeted, requiring rapid remediation. Without this investigation, the team cannot prioritize the response effectively, as the vulnerability may be theoretical or require complex exploitation.

Exam trap

CompTIA often tests the misconception that the first step after a vulnerability scan is to patch or isolate, but the correct immediate action is always to assess exploitability and risk before taking remediation steps.

How to eliminate wrong answers

Option A is wrong because reporting to management is a secondary step after technical validation and risk assessment; immediate reporting without investigation delays critical response. Option B is wrong because isolating web01 from the network is a drastic action that may be unnecessary if the vulnerability is not exploitable or if the service is critical; isolation should only occur after confirming active exploitation or high risk. Option D is wrong because upgrading to version 2.3.4 assumes a patch exists and is the correct fix, but the immediate priority is to understand the threat level, not to apply an unverified update that could introduce instability or incompatibility.

53
MCQmedium

A CVSS 9.8 vulnerability affects an internal service reachable only from a restricted admin subnet. Which additional analysis is most useful? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Use only the vendor marketing page
B.Environmental scoring and compensating-control review
C.Change all findings to low severity
D.Ignore the vulnerability because it is internal
AnswerB

Environmental factors help translate generic severity into local risk.

Why this answer

Option B is correct because CVSS base scores assume a default, worst-case environment. For a vulnerability with a 9.8 base score that is only reachable from a restricted admin subnet, an environmental scoring (CVSS v3.1 Environmental Metric Group) adjusts the severity based on the actual attack surface, and a compensating-control review documents whether existing controls (e.g., network ACLs, jump-box restrictions) mitigate the risk. This analysis is essential for stakeholder management to justify the risk acceptance or remediation priority, and the resulting documentation (e.g., risk acceptance form signed by the authorizing official) keeps the program defensible under audit.

Exam trap

Cisco often tests the misconception that a high CVSS base score always requires immediate patching regardless of environment, but the trap here is that candidates ignore the need for environmental scoring and compensating-control documentation to justify a delayed remediation in a segmented network.

How to eliminate wrong answers

Option A is wrong because a vendor marketing page is not a valid source for vulnerability analysis; it lacks technical detail and does not account for the organization's specific network segmentation or compensating controls, making it useless for defensible risk management. Option C is wrong because arbitrarily changing all findings to low severity violates vulnerability management policy and audit requirements; it bypasses proper risk assessment and would be flagged as a control failure during compliance reviews.

54
MCQmedium

A CVSS 9.8 vulnerability affects an internal service reachable only from a restricted admin subnet. Which additional analysis is most useful? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Ignore the vulnerability because it is internal
B.Use only the vendor marketing page
C.Environmental scoring and compensating-control review
D.Change all findings to low severity
AnswerC

Environmental factors help translate generic severity into local risk.

Why this answer

Option C is correct because a CVSS 9.8 vulnerability (critical, with network attack vector, low complexity, no privileges required, and no user interaction) that is only reachable from a restricted admin subnet requires environmental scoring to adjust the base score based on the actual attack surface (e.g., modified attack vector to 'adjacent network' or 'local') and a compensating-control review to verify that existing security measures (e.g., strict ACLs, jump-box requirements, network segmentation) effectively mitigate the risk. This approach aligns with the CVSS specification (v3.1) for environmental metrics and NIST SP 800-30 guidance for risk assessment, ensuring that the residual risk is accurately understood before selecting controls.

Exam trap

Cisco often tests the misconception that a high CVSS score always demands immediate patching regardless of environment, when in fact environmental scoring and compensating controls can legitimately reduce the effective risk, and candidates must recognize that ignoring or reclassifying findings is never the correct approach.

How to eliminate wrong answers

Option A is wrong because ignoring a vulnerability solely because it is internal violates the principle of defense in depth; internal threats (e.g., compromised admin credentials, insider misuse) can still exploit a critical vulnerability, and the CVSS base score already accounts for network reachability, not trust zones. Option B is wrong because vendor marketing pages are promotional and lack objective, technical details about exploitability, mitigations, or environmental factors; relying on them would bypass authoritative sources like the CVE entry, vendor security advisories, or CVSS vector strings. Option D is wrong because changing all findings to low severity is a form of risk hiding that obscures true exposure, violates vulnerability management policy (e.g., PCI DSS Requirement 6.2), and prevents proper prioritization; severity should be based on actual risk, not arbitrary reclassification.

55
MCQeasy

Two servers have the same critical vulnerability. One hosts a public payment API; the other is a lab server isolated from production. What changes the remediation priority? For control selection, Which control best addresses the stated weakness without hiding risk?

A.The number of installed fonts
B.Whether the hostname is shorter
C.The colour of the scanner dashboard
D.Asset criticality, exposure, and business impact
AnswerD

The same CVE can represent different risk depending on where it exists and what the asset supports.

Why this answer

Remediation priority is determined by risk, which is a function of asset criticality, exposure, and business impact. The public payment API has high business impact and external exposure, making it a priority over the isolated lab server, regardless of technical similarities. This aligns with the CVSS environmental metrics and organizational risk management frameworks.

Exam trap

Cisco often tests the concept that identical technical vulnerabilities can have vastly different remediation priorities based on asset context, not on superficial attributes like hostname or UI settings.

How to eliminate wrong answers

Option A is wrong because the number of installed fonts is a cosmetic or resource attribute with no bearing on vulnerability severity, exploitability, or business risk. Option B is wrong because hostname length is irrelevant to security posture or remediation priority; it does not affect exposure, criticality, or impact. Option C is wrong because the colour of the scanner dashboard is a UI theme setting that has no technical relationship to vulnerability prioritization or control selection.

56
Multi-Selectmedium

Which three of the following are best practices for integrating vulnerability scanning into a continuous integration/continuous deployment (CI/CD) pipeline? (Choose three.)

Select 3 answers
.Scanning only the production environment after deployment to ensure real-world security
.Embedding static application security testing (SAST) into the build phase to catch code-level vulnerabilities early
.Using container image scanning tools to detect known vulnerabilities in base images before deployment
.Disabling all vulnerability scanning during development to accelerate build times
.Automating dynamic application security testing (DAST) in a staging environment that mirrors production
.Scanning dependencies only when a new vulnerability disclosure is published

Why this answer

Embedding SAST into the build phase is a best practice because it allows developers to identify and fix code-level vulnerabilities (e.g., SQL injection, buffer overflows) early in the development lifecycle, reducing remediation cost and preventing insecure code from progressing further down the pipeline. This shift-left approach aligns with DevSecOps principles by catching flaws before they reach integration or production environments.

Exam trap

CompTIA often tests the misconception that security scanning should be deferred to later stages (like production) to avoid slowing down development, but the correct approach is to integrate scanning early and often (shift-left) while using automated gates to maintain both speed and security.

57
MCQmedium

A security analyst is configuring a vulnerability scan for a demilitarized zone (DMZ) containing public-facing web servers. The analyst wants to minimize the risk of causing a denial-of-service condition on the servers. Which of the following scan settings should be configured?

A.Enable a full port scan.
B.Disable safe checks to speed up the scan.
C.Increase the scan timeout values.
D.Limit the number of concurrent checks.
AnswerD

This reduces the load and lowers the risk of DoS.

Why this answer

Limiting the number of concurrent checks (option D) reduces the simultaneous requests sent to the target servers, which prevents overwhelming the web server's connection pool or CPU. This is the most direct way to minimize the risk of a denial-of-service condition during a vulnerability scan, especially in a DMZ with public-facing servers that may have limited resources.

Exam trap

CompTIA often tests the misconception that increasing timeout values or disabling safe checks will reduce the risk of denial-of-service, when in fact these settings either increase load or remove protections, making the scan more dangerous.

How to eliminate wrong answers

Option A is wrong because enabling a full port scan increases the number of probes sent to all 65,535 ports, which can overwhelm the server and cause a denial-of-service condition. Option B is wrong because disabling safe checks removes the scanner's built-in safeguards that prevent dangerous or intrusive tests, increasing the risk of crashing the server. Option C is wrong because increasing scan timeout values only extends the wait time for responses, which does not reduce the load on the server and may actually prolong the scan's impact.

58
MCQeasy

A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Ship the image and document nothing
B.Validate exploitability and rebuild from a patched base image where feasible
C.Only rename the image tag
D.Ignore all base-image vulnerabilities
AnswerB

Container findings should consider reachability, but rebuilding from a patched base reduces inherited risk.

Why this answer

Option B is correct because the best next step is to validate whether the OpenSSL vulnerability is actually exploitable in the context of the application, and if so, rebuild from a patched base image. This balances security with operational efficiency by not blocking the pipeline unnecessarily for unused binaries, while still ensuring that truly exploitable vulnerabilities are remediated. The question asks for the 'BEST next step' for the team, not the scanner configuration, so validating exploitability before acting is the most appropriate response.

Exam trap

Cisco often tests the distinction between 'next step for the team' versus 'tool configuration change'—the trap here is that candidates may focus on the scanner configuration (e.g., ignoring base-image vulns) instead of the proper validation process, leading them to pick D or A.

How to eliminate wrong answers

Option A is wrong because shipping the image without any documentation or validation ignores the vulnerability entirely, which violates secure development practices and could lead to undetected risk. Option C is wrong because renaming the image tag does not change the vulnerable binary in the base layer; it only obscures the issue without remediation. Option D is wrong because ignoring all base-image vulnerabilities is overly permissive and could allow critical CVEs to be deployed, even if the application team claims the binary is unused—this claim must be validated, not blindly accepted.

59
Multi-Selecteasy

Which THREE of the following are common challenges in vulnerability management? (Select THREE)

Select 3 answers
A.Inability to scan all systems
B.Lack of asset inventory
C.Too many false positives
D.Excessive budget
E.Patch compatibility issues
AnswersB, C, E

Without a complete inventory, some vulnerabilities may go unmanaged.

Why this answer

Option B is correct because without a complete and accurate asset inventory, vulnerability management cannot identify which systems require scanning or patching. An asset inventory provides the foundational data for vulnerability scanning scope, and its absence leads to blind spots where unmanaged systems remain unpatched and vulnerable.

Exam trap

CompTIA often tests the distinction between operational difficulties (like scanning all systems) and foundational management challenges (like lack of asset inventory), tempting candidates to select 'Inability to scan all systems' as a core challenge when it is actually a downstream effect.

60
MCQeasy

A vulnerability scan identifies a critical unauthenticated remote-code-execution flaw on an internet-facing VPN appliance that is actively exploited in the wild. Several internal-only medium vulnerabilities are also present. What should be remediated first? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Patch or mitigate the VPN appliance immediately and verify exposure is removed
B.Defer all remediation until the monthly patch window
C.Start with the oldest medium vulnerability
D.Remediate only low-risk internal findings to improve closure rate
AnswerA

Internet exposure plus active exploitation makes this the highest-risk item despite other findings.

Why this answer

The VPN appliance with a critical unauthenticated remote-code-execution flaw that is actively exploited in the wild represents an immediate and severe risk to the organization's security posture. An internet-facing device with such a vulnerability can be compromised by any attacker on the internet without authentication, leading to full system compromise and potential lateral movement into the internal network. Prioritizing remediation of this flaw over internal-only medium vulnerabilities aligns with risk-based vulnerability management principles, as the likelihood and impact of exploitation are far higher.

Exam trap

Cisco often tests the misconception that all vulnerabilities should be patched in order of severity score or age, rather than considering the business context of internet exposure and active exploitation, leading candidates to choose a technically correct but risk-ignorant option like 'start with the oldest medium vulnerability'.

How to eliminate wrong answers

Option B is wrong because deferring remediation until the monthly patch window ignores the active exploitation of a critical vulnerability, leaving the organization exposed to immediate compromise; vulnerability management requires expedited handling of actively exploited flaws outside of regular patching cycles. Option C is wrong because starting with the oldest medium vulnerability disregards the severity and exploitability of the critical flaw; age alone does not determine risk, and a medium internal vulnerability poses far less immediate danger than an internet-facing critical RCE. Option D is wrong because remediating only low-risk internal findings to improve closure rate is a metric-driven approach that sacrifices security; it fails to address the most urgent threat and could lead to a false sense of security while the critical flaw remains unpatched.

61
Multi-Selecthard

A security analyst has identified a critical vulnerability that affects multiple systems. The analyst needs to report the vulnerability to management. Which THREE elements should be included in the vulnerability report? (Choose three.)

Select 3 answers
A.Number of affected systems and their criticality
B.Specific patch installation dates for each system
C.Organizational risk appetite
D.Recommended remediation steps and timeline
E.CVSS score and vector string
AnswersA, D, E

Shows the scope of impact.

Why this answer

Option A is correct because a vulnerability report must convey the scope and business impact of the issue. Including the number of affected systems and their criticality (e.g., system classification, data sensitivity, or role in the network) allows management to prioritize remediation based on risk exposure. Without this context, management cannot assess the urgency or allocate resources effectively.

Exam trap

CompTIA often tests the distinction between management-level reporting and technical operational details, causing candidates to mistakenly include granular patch dates (Option B) instead of focusing on the elements that drive decision-making.

62
MCQmedium

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Delete all audit logs to reduce liability
B.Wait for the next quarterly review
C.Restrict public access and determine whether sensitive data was accessed
D.Rotate database administrator passwords only
AnswerC

The priority is exposure containment and impact assessment.

Why this answer

Option C is correct because the immediate priority is to restrict public read access to the storage bucket to stop any ongoing unauthorized data exposure. The team must then determine whether sensitive data was accessed by reviewing access logs (e.g., AWS CloudTrail or S3 server access logs) to assess the scope of the breach. This aligns with incident response best practices: contain the threat first, then investigate.

Exam trap

Cisco often tests the misconception that rotating passwords or deleting logs is a valid first step, when in fact the correct first action is always to contain the vulnerability (restrict access) before investigating or performing unrelated administrative tasks.

How to eliminate wrong answers

Option A is wrong because deleting audit logs destroys forensic evidence, violates compliance requirements (e.g., GDPR, PCI DSS), and increases liability by obstructing investigation. Option B is wrong because waiting for a quarterly review leaves sensitive data exposed for months, violating the principle of timely remediation and increasing risk of data exfiltration. Option D is wrong because rotating database administrator passwords does not address the public read access on the storage bucket; it is an unrelated control that does not mitigate the exposure of customer exports.

63
MCQeasy

A vulnerability scan identifies a critical unauthenticated remote-code-execution flaw on an internet-facing VPN appliance that is actively exploited in the wild. Several internal-only medium vulnerabilities are also present. What should be remediated first? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Patch or mitigate the VPN appliance immediately and verify exposure is removed
B.Start with the oldest medium vulnerability
C.Remediate only low-risk internal findings to improve closure rate
D.Defer all remediation until the monthly patch window
AnswerA

Internet exposure plus active exploitation makes this the highest-risk item despite other findings.

Why this answer

The critical unauthenticated remote-code-execution vulnerability on an internet-facing VPN appliance is actively exploited in the wild, posing an immediate risk of complete compromise. Remediation must be prioritized based on severity, exploitability, and exposure, making immediate patching or mitigation the only defensible first step.

Exam trap

The trap here is that candidates may choose to defer remediation to a scheduled patch window (Option D) due to change management policies, but the question explicitly requires prioritizing based on active exploitation and critical severity, overriding standard scheduling.

How to eliminate wrong answers

Option B is wrong because prioritizing the oldest medium vulnerability ignores the active exploitation and critical severity of the VPN flaw, which could lead to a full network breach. Option C is wrong because remediating only low-risk internal findings to improve closure rate is a metric-gaming approach that leaves the most dangerous vulnerability unaddressed, violating risk management principles. Option D is wrong because deferring all remediation until the monthly patch window would leave a critical, actively exploited flaw exposed for an unacceptable period, likely resulting in a security incident.

64
Matchingmedium

Match each log type to its typical source.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Windows Event Log (Security)

Linux/Unix system messages

Web server (e.g., Apache, IIS)

Database or application activity

Network firewall traffic records

Why these pairings

Different log types originate from different systems and serve distinct purposes.

65
MCQhard

A scanner flags TLS 1.0 on a server, but the service owner says TLS 1.0 is disabled. What is the BEST validation method? For validation, Which action should be taken before closing or downgrading the finding?

A.Change the severity to informational automatically
B.Close the finding because the owner disagrees
C.Delete the server from the scan scope
D.Manually test the service with a TLS client or scanner profile that negotiates protocol versions
AnswerD

Direct protocol validation determines whether TLS 1.0 is actually accepted.

Why this answer

Option D is correct because the only way to definitively resolve a discrepancy between a scanner finding and a service owner's claim is to perform an independent, manual test. Using a TLS client (e.g., OpenSSL s_client) or a scanner profile that specifically negotiates protocol versions allows you to directly verify whether the server actually accepts TLS 1.0 connections, eliminating false positives or misconfigurations.

Exam trap

Cisco often tests the trap that candidates will trust the service owner's assertion over the scanner's evidence, leading them to close the finding without independent verification, which violates the principle of validate-before-remediate.

How to eliminate wrong answers

Option A is wrong because automatically changing severity to informational bypasses the need for validation and could hide a real vulnerability. Option B is wrong because closing a finding solely because the owner disagrees ignores the scanner's evidence and violates due diligence in vulnerability management. Option C is wrong because deleting the server from the scan scope removes it from future assessments, which could mask a genuine security issue and is not a valid remediation step.

66
Multi-Selectmedium

A security analyst is reviewing the results of a recent vulnerability scan. The analyst needs to prioritize remediation efforts effectively. Which four of the following factors should the analyst consider when prioritizing vulnerabilities? (Choose four.)

Select 4 answers
.The Common Vulnerability Scoring System (CVSS) base score
.The age of the vulnerability since its public disclosure
.The number of times a vendor has released a patch for the vulnerability
.The existence of publicly available exploit code
.The asset's criticality to the organization's mission
.The color of the vulnerability in the scan report

Why this answer

The Common Vulnerability Scoring System (CVSS) base score provides a standardized numerical rating (0-10) of a vulnerability's severity, factoring in exploitability and impact metrics. This score helps analysts compare vulnerabilities across different systems and prioritize those with higher potential damage. It is a foundational input for risk-based prioritization, not the sole deciding factor.

Exam trap

CompTIA often tests that candidates confuse the number of patches or visual indicators (like color) with actual risk factors, leading them to select those distractors instead of focusing on exploitability, asset value, and standardized scoring.

67
MCQhard

A security analyst is prioritizing vulnerabilities for remediation. The following vulnerabilities have been identified: Vulnerability A: CVSS v3.1 Base Score 9.8 (Critical), no known exploit, affects internet-facing web server. Vulnerability B: CVSS v3.1 Base Score 7.5 (High), exploit available, affects internal database server. Vulnerability C: CVSS v3.1 Base Score 6.1 (Medium), exploit available, affects internal file server. Vulnerability D: CVSS v3.1 Base Score 4.0 (Medium), no known exploit, affects internal workstation. Which vulnerability should be remediated FIRST?

A.Vulnerability D
B.Vulnerability C
C.Vulnerability B
D.Vulnerability A
AnswerD

Critical severity on an internet-facing system poses the greatest risk.

Why this answer

Vulnerability A has a CVSS v3.1 Base Score of 9.8 (Critical) and affects an internet-facing web server, which is directly exposed to external threats. Even though no known exploit exists, the high severity and exposure mean that a zero-day or future exploit could cause severe impact, making it the highest priority for remediation according to risk-based prioritization frameworks like CVSS and NIST SP 800-40.

Exam trap

Cisco often tests the misconception that an available exploit always outweighs a higher CVSS score, but the correct prioritization must consider both severity and exposure, especially for internet-facing systems with Critical scores.

How to eliminate wrong answers

Option A (Vulnerability D) is wrong because it has a low CVSS score of 4.0, no known exploit, and affects an internal workstation, which poses minimal risk compared to internet-facing systems. Option B (Vulnerability C) is wrong because although it has an available exploit, its CVSS score is 6.1 (Medium) and it affects an internal file server, which is less critical than an internet-facing web server with a Critical score. Option C (Vulnerability B) is wrong because while it has an exploit available and a High score of 7.5, it affects an internal database server, which is not directly exposed to the internet, whereas Vulnerability A is internet-facing and has a higher severity score.

68
MCQmedium

An analyst runs an external vulnerability scan and receives the output above. Which of the following should be the analyst's primary concern?

A.HTTPS is using a self-signed certificate
B.HTTP is open on port 80
C.RDP is filtered by a firewall
D.SSH is exposed to the internet
AnswerD

SSH is a common attack vector; if not required, it should be restricted.

Why this answer

SSH (port 22) exposed directly to the internet is the primary concern because it provides an administrative remote access channel that attackers can brute-force or exploit for credential-based attacks. Unlike HTTP or self-signed certificates, SSH exposure represents a direct attack surface for unauthorized system control, which is a critical vulnerability in external scans.

Exam trap

Cisco often tests the distinction between 'common but insecure' services (like HTTP or self-signed certs) and 'administrative exposure' (like SSH or RDP), where the latter is prioritized because it directly enables system compromise.

How to eliminate wrong answers

Option A is wrong because a self-signed certificate on HTTPS, while not ideal, does not expose the service to remote code execution or credential theft; it primarily affects trust and encryption verification. Option B is wrong because HTTP on port 80 is a common, expected service for web traffic; while unencrypted, it is not inherently a high-risk exposure compared to administrative protocols. Option C is wrong because RDP being filtered by a firewall actually reduces risk by blocking external access, making it a security control rather than a concern.

69
MCQmedium

A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Trust the unauthenticated result as complete
B.Increase only the port range
C.Disable host firewalls permanently
D.Run authenticated scans using least-privilege scanner credentials
AnswerD

Authenticated scanning gives the scanner access to installed software and patch state, improving accuracy.

Why this answer

Unauthenticated scans only enumerate open ports and services visible without credentials, missing OS-level patch data such as missing KBs, registry settings, or file versions. Authenticated scans using least-privilege credentials allow the scanner to query the Windows registry, WMI, or WinRM to retrieve the actual installed patch level, providing accurate vulnerability results. For stakeholder management, formal approval (e.g., a signed authorization from system owners or change control board) is required to document the use of privileged credentials, ensuring the program remains defensible in audits.

Exam trap

Cisco often tests the misconception that increasing scan scope (e.g., ports or disabling firewalls) can substitute for authentication, when in fact only credentialed scanning provides the deep OS-level patch data needed for accurate vulnerability assessment.

How to eliminate wrong answers

Option A is wrong because trusting an unauthenticated result as complete ignores the fact that without credentials, the scanner cannot access registry or file-level patch data, leading to false negatives and missing critical vulnerabilities. Option B is wrong because increasing only the port range expands network-layer discovery but does not enable the scanner to retrieve OS patch information, which requires authenticated access to internal system state. Option C is wrong because disabling host firewalls permanently reduces security posture and still does not provide the scanner with the necessary credentials to query patch levels; it only removes network access controls without solving the data access problem.

70
MCQmedium

A company wants to prioritize vulnerabilities based on exploitability and impact. Which industry standard framework should the analyst use?

A.CVSS v3
B.OWASP Top 10
C.CVE
D.NIST SP 800-53
AnswerA

CVSS provides a numeric severity score based on exploitability and impact.

Why this answer

CVSS v3 (Common Vulnerability Scoring System) is the industry-standard framework for prioritizing vulnerabilities based on exploitability and impact. It provides a numerical score (0-10) derived from metrics such as Attack Vector, Attack Complexity, Privileges Required, User Interaction, and Scope, along with Confidentiality, Integrity, and Availability impact. This allows analysts to objectively rank vulnerabilities for remediation.

Exam trap

CompTIA often tests the distinction between a vulnerability scoring system (CVSS) and a vulnerability identification system (CVE), causing candidates to confuse CVE as a prioritization tool.

How to eliminate wrong answers

Option B (OWASP Top 10) is wrong because it is a list of the most critical web application security risks, not a scoring system for individual vulnerabilities; it does not assign exploitability or impact scores. Option C (CVE) is wrong because it is a dictionary of publicly disclosed vulnerabilities with unique identifiers, not a prioritization or scoring framework. Option D (NIST SP 800-53) is wrong because it is a catalog of security controls for federal information systems, not a vulnerability scoring methodology.

71
MCQeasy

Two servers have the same critical vulnerability. One hosts a public payment API; the other is a lab server isolated from production. What changes the remediation priority? For business prioritization, Which recommendation gives the best risk-based order of work?

A.The number of installed fonts
B.The colour of the scanner dashboard
C.Whether the hostname is shorter
D.Asset criticality, exposure, and business impact
AnswerD

The same CVE can represent different risk depending on where it exists and what the asset supports.

Why this answer

Option D is correct because remediation priority in vulnerability management is determined by asset criticality, exposure, and business impact, not by superficial attributes. The public payment API server has high business impact and exposure to external threats, making it a higher priority than the isolated lab server, even though both share the same vulnerability. This aligns with risk-based prioritization frameworks such as CVSS environmental metrics and FAIR analysis.

Exam trap

Cisco often tests the misconception that all vulnerabilities with the same CVSS base score should be remediated with equal urgency, ignoring the critical role of asset context and business impact in risk-based prioritization.

How to eliminate wrong answers

Option A is wrong because the number of installed fonts has no bearing on vulnerability severity, exploitability, or business risk; it is an irrelevant system configuration detail. Option B is wrong because the colour of the scanner dashboard is a cosmetic UI element that does not affect technical risk assessment or prioritization decisions. Option C is wrong because hostname length is arbitrary and does not correlate with asset criticality, exposure, or the likelihood of exploitation; a shorter hostname does not indicate higher risk.

72
MCQmedium

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For control selection, Which control best addresses the stated weakness without hiding risk?

A.The phishing training completion list
B.The risk register with owner, justification, expiry date, and compensating controls
C.The firewall vendor invoice
D.The incident containment playbook only
AnswerB

Risk acceptance must be explicit, time-bound, owned, and controlled.

Why this answer

Option B is correct because when a business unit accepts the risk of delaying a patch, the risk register must be updated to formally document the risk acceptance. This update should include the risk owner, the business justification for the delay, an expiry date for the exception, and any compensating controls (e.g., network segmentation, enhanced monitoring) that reduce the risk during the gap. This ensures the risk is tracked, reviewed, and eventually remediated, aligning with vulnerability management best practices.

Exam trap

Cisco often tests the distinction between operational activities (e.g., training, billing) and formal risk management documentation; the trap here is that candidates may confuse updating a training list or invoice with the required risk register update, failing to recognize that risk acceptance must be formally recorded with ownership and compensating controls.

How to eliminate wrong answers

Option A is wrong because phishing training completion lists address user awareness and social engineering risks, not the technical risk of delaying a critical patch; updating this list does not document or manage the accepted risk. Option C is wrong because the firewall vendor invoice is a financial document unrelated to risk acceptance or vulnerability management; it does not capture the risk owner, justification, expiry date, or compensating controls needed for formal risk tracking.

73
MCQmedium

During a vulnerability scan, an analyst discovers a high-severity vulnerability on a critical database server. The server is in production and cannot be taken offline. The vendor has released a patch but requires a reboot. Which of the following should the analyst recommend FIRST?

A.Implement a workaround from the vendor.
B.Schedule the patch during the next maintenance window.
C.Apply the patch immediately.
D.Migrate the database to a new server.
AnswerB

This balances security with availability.

Why this answer

Option B is correct because the database server is in production and cannot be taken offline, so the patch must be applied during a scheduled maintenance window to minimize business disruption. The vulnerability is high-severity, but the vendor requires a reboot, which would cause downtime; therefore, the first step is to plan the patch application at the next available maintenance window, not to apply it immediately or implement a workaround that may not fully mitigate the risk.

Exam trap

CompTIA often tests the candidate's ability to prioritize business continuity over immediate remediation, leading candidates to incorrectly choose 'Apply the patch immediately' (Option C) because they focus solely on the high severity without considering the operational impact of a reboot on a critical production server.

How to eliminate wrong answers

Option A is wrong because implementing a workaround from the vendor is a temporary measure that may not fully address the vulnerability and could introduce additional complexity or performance issues; the analyst should prioritize the patch itself. Option C is wrong because applying the patch immediately would cause an unplanned reboot of a critical production database server, leading to unacceptable downtime and potential data loss or corruption. Option D is wrong because migrating the database to a new server is a drastic, time-consuming, and high-risk operation that is not the first recommendation; it should only be considered if patching is impossible or the server is end-of-life.

74
Multi-Selectmedium

Which TWO of the following are best practices for vulnerability scanning in a PCI DSS compliant environment? (Select TWO)

Select 2 answers
A.Perform quarterly scans
B.Scan only external IP ranges
C.Use a single scanning vendor
D.Scan after any significant network change
E.Use authenticated scanning for more accurate results
AnswersA, E

PCI DSS requirement 11.2 mandates quarterly external and internal scans.

Why this answer

Options A and C are correct. PCI DSS requires quarterly internal and external vulnerability scans. Option B is incorrect because both credentialed and non-credentialed scans are recommended.

Option D is incorrect because post-change scanning is a general best practice but not specifically a PCI DSS requirement for this context. Option E is incorrect because multiple scanning vendors can be used.

75
MCQeasy

Two servers have the same critical vulnerability. One hosts a public payment API; the other is a lab server isolated from production. What changes the remediation priority? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.The number of installed fonts
B.The colour of the scanner dashboard
C.Asset criticality, exposure, and business impact
D.Whether the hostname is shorter
AnswerC

The same CVE can represent different risk depending on where it exists and what the asset supports.

Why this answer

Remediation priority is determined by risk, which combines asset criticality, exposure, and business impact. The public payment API has high exposure (internet-facing) and high business impact (PCI DSS compliance, financial data), while the lab server is isolated and non-production. A vulnerability scanner like Nessus or Qualys uses asset tags and CVSS environmental metrics (e.g., modified impact sub-scores) to calculate a risk-based priority score, not the number of installed fonts or dashboard color.

Exam trap

Cisco often tests the misconception that vulnerability severity alone (e.g., a high CVSS score) determines remediation priority, ignoring that asset context—exposure, criticality, and business impact—is the actual driver of risk-based prioritization.

How to eliminate wrong answers

Option A is wrong because the number of installed fonts is a cosmetic system attribute with no bearing on vulnerability severity, exposure, or business impact; it does not affect CVSS scoring or remediation prioritization. Option B is wrong because the color of the scanner dashboard is a purely aesthetic UI setting that has zero influence on scan results, risk calculation, or the quality of vulnerability detection.

Page 1 of 2 · 149 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Vulnerability Management questions.