Log in Start practising free
CompTIA CySA+

Vulnerability Management

51 free practice questions with explanations

Practise all 51 questions free →

PassNova has 51 free CompTIA CySA+ practice questions on Vulnerability Management, each with a clear explanation. Practise them in the browser with instant feedback — 100% free, no sign-up, on any device. Updated for 2026.

Sample questions

Vulnerability Management: example questions & answers

Here are 6 example questions from this topic. Practise the full set of 51 free in the browser.

  1. In CVSS v3.1, a base score of 9.4 falls into which qualitative severity rating?

    • A Critical
    • B Medium
    • C Low
    • D None

    Answer: In CVSS v3.1 the Critical band is 9.0 to 10.0, so a base score of 9.4 is rated Critical.

  2. A scanner reports a vulnerability that does not actually exist on the target system. How should this finding be classified?

    • A True positive
    • B False negative
    • C True negative
    • D False positive

    Answer: A false positive is a finding that indicates a problem which is not actually present, requiring validation before remediation effort is spent.

  3. An organisation must scan systems without authentication, simulating an external attacker's view. Which scan type meets this need?

    • A Manual tabletop exercise
    • B Unauthenticated (credential-less) scan
    • C Credentialed scan with admin login
    • D Source code SAST scan

    Answer: An unauthenticated scan probes systems from the outside without credentials, reflecting what an external attacker could discover.

  4. Which CVSS v3.1 base metric describes whether an attacker needs no special conditions versus conditions outside their control to exploit a vulnerability?

    • A Scope
    • B Attack Complexity
    • C Confidentiality Impact
    • D Privileges Required

    Answer: Attack Complexity reflects whether exploitation requires conditions beyond the attacker's control; Low means no special conditions are needed.

  5. A credentialed (authenticated) vulnerability scan is generally preferred over an unauthenticated scan because it:

    • A Is undetectable by the target system
    • B Requires no permission from system owners
    • C Only scans network ports and ignores software
    • D Provides more accurate results with fewer false positives by reading host configuration

    Answer: Authenticated scans log in to inspect installed software, patch levels, and configuration directly, yielding more accurate findings and fewer false positives.

  6. An organisation cannot patch a vulnerable legacy application immediately, so it places the system behind a web application firewall and restricts network access. This temporary measure is best described as:

    • A Decommissioning the asset
    • B A compensating control
    • C A root-cause fix
    • D Risk acceptance with no action

    Answer: A compensating control reduces risk when the primary remediation cannot be applied immediately, such as adding a WAF and network restrictions around an unpatchable system.

Start practising Vulnerability Management →
More CompTIA CySA+ topics

Practise another topic

Security Operations65 questions Incident Response & Management50 questions Reporting & Communication34 questions
← Back to CompTIA CySA+