Browse CompTIA Certification Guides

CompTIA N10-009 Risk, Vulnerability, Exploit & CIA Guide

March 29, 2026

Study CompTIA N10-009 Risk, Vulnerability, Exploit & CIA: key concepts, common traps, and exam decision cues.

On this page

Security terminology questions are classification questions. CompTIA uses them to check whether you can keep the basic security language straight under pressure. If you confuse the weakness with the attack method or the risk with the control objective, you usually pick the wrong answer later in the scenario.

Exploit: A method or code path used to take advantage of a vulnerability.

CIA triad: Confidentiality, integrity, and availability, the three core security objectives used to describe what needs protection.

Vulnerability: A weakness that could be used by a threat or exploit path.

What CompTIA is really testing

The strongest answers usually depend on whether you can separate:

  • threat from vulnerability
  • vulnerability from exploit
  • exploit from impact
  • confidentiality from integrity from availability

Keep the terms straight

Term What it means
threat a possible danger, actor, event, or condition that could cause harm
vulnerability a weakness that can be taken advantage of
exploit the method used to take advantage of that weakness
risk the potential for loss or harm when threats meet vulnerabilities
confidentiality only authorized parties can access the information
integrity data or systems remain accurate and trustworthy
availability systems or data remain reachable when needed

A simple reasoning chain

    flowchart LR
	  A["Threat or attacker"] --> B["Vulnerability exists"]
	  B --> C["Exploit path is used"]
	  C --> D["Impact affects confidentiality, integrity, or availability"]

What to notice:

  • these words describe different parts of the same chain
  • if you collapse them together, you choose vague or mismatched controls
  • CIA helps you describe what was actually harmed or what the control is trying to protect

Small scenario example

1Weak admin password
2-> vulnerability
3Credential stuffing script
4-> exploit technique
5Unauthorized config change
6-> integrity impact

What to notice:

  • the weakness is not the same thing as the attack technique
  • the resulting impact is not the same thing as the vulnerability
  • CompTIA often hides the correct answer in that distinction

Common traps

  • using threat and vulnerability interchangeably
  • assuming confidentiality is always the main issue when integrity or availability is the better fit
  • naming a control before identifying the weakness
  • calling the attacker action itself “the risk” without describing the underlying weakness or impact

What strong answers usually do

  • identify the weakness before choosing the control
  • classify the attacker action separately from the underlying vulnerability
  • use the CIA lens to describe what is actually being harmed
  • keep the terminology precise enough that the mitigation choice makes sense

Decision order that usually wins

Security-classification questions usually hinge on precision. First, identify the weakness, threat action, or business effect. Second, map the effect to CIA: disclosure to confidentiality, unauthorized change to integrity, and disruption to availability. Third, choose the control that addresses that exact layer instead of using “risk” as a catch-all word. CompTIA rewards accurate classification before mitigation.

Quiz

Loading quiz…

Continue with 4.5 Compliance & Data Locality to keep the domain flow intact.

Revised on Sunday, May 10, 2026
4.3 Deception Tech
4.5 Compliance & Data Locality