CySA+ Domain 2: Vulnerability Management Guide

Domain 2: Vulnerability Management makes up 30% of the CompTIA CySA+ (CS0-003) exam. It's one of the most technical and hands-on sections. This guide breaks it down into manageable parts with real-world context and tools you’ll need to know.

🔍 Core Concepts You Must Understand

• Vulnerability scanning: Techniques, types (authenticated vs. unauthenticated), internal vs. external scans
• Risk prioritization: Using CVSS scores and business impact to rank issues
• Remediation strategies: Fix, mitigate, or accept vulnerabilities based on environment
• Patch management: Patch lifecycle, testing, rollback plans
• Validation and verification: Re-scanning after patching to confirm success
• False positives/negatives: Identifying and reporting inaccurate scan results

🛠 Key Vulnerability Scanning Tools

• Nessus – Widely used scanner with detailed reporting and vulnerability ranking
• OpenVAS – Free and open-source alternative with solid scanning capabilities
• Qualys – Enterprise cloud-based scanner, used by many large organizations
• Nmap – Port scanning and network discovery tool, useful for identifying open services
• Burp Suite – Powerful web vulnerability scanner with active scanning features
• NVD / CVE – Databases of known vulnerabilities used for research and correlation

📌 Sample Real-World Scenario

Scenario: You perform a vulnerability scan and discover an outdated Apache server (CVSS 9.8) on your DMZ.

What’s the best course of action?

• A. Patch it immediately
• B. Notify the system owner and open a change control request
• C. Disable the web server to prevent exploitation
• D. Report it as a false positive and ignore

Correct Approach: Usually, it’s B – follow a proper change management process. The exam expects this type of operational thinking, not impulsive fixes.

📊 CVSS and Risk-Based Prioritization

Don't just rely on CVSS scores. You must also assess:

• Asset value (production vs. test system)
• Threat likelihood (external-facing vs. internal)
• Potential impact (data exposure, service outage)

The exam may give you a list of 10 vulnerabilities and ask you which to fix first. Think like a security analyst—not a script-runner.

🚨 False Positives & Verification

After scanning, some findings might be:

• False positives: The scanner incorrectly flagged a vulnerability
• False negatives: A real issue was missed due to scanner limitations

You’ll be expected to know how to confirm or disprove these using other tools or manual testing.

🧠 Practice What You Learn

We built a domain-specific quiz so you can test yourself on everything above:

🧪 Try the CySA+ Domain 2 Quiz

✅ Summary

Vulnerability management is about detecting, prioritizing, and addressing security weaknesses effectively. You need to know the tools, processes, and how to act based on business context—not just scores.

Practice is key. Click here to take our Comptia Cysa+ quiz now and reinforce your knowledge.