Browse CompTIA Certification Guides

Run Vulnerability Management for Security+ (SY0-701)

Fuad Efendi March 28, 2026 4 min read

Understand how Security+ treats identification, analysis, prioritization, remediation, validation, and reporting in vulnerability management.

On this page

Vulnerability management is not the same thing as running a scanner. Security+ expects you to understand the whole workflow: identify, analyze, prioritize, remediate, validate, and report. Many weak answers stop after the scan and never address operational fit or proof that the issue is actually resolved.

CVSS: Common Vulnerability Scoring System, a standard way to score severity that still needs business context before you prioritize work.

Compensating control: A temporary or alternative control used when the ideal remediation is not feasible yet.

What the exam is really testing

CompTIA is usually testing whether you can:

  • separate discovery from validated risk
  • prioritize findings by real operational impact instead of raw score alone
  • choose between remediation now, compensating control now, and tracked risk acceptance

The strongest answer is often not “patch everything immediately.” It is “treat the riskiest finding correctly within the real constraint.”

Vulnerability workflow

    flowchart LR
	  A["Discover"] --> B["Analyze and prioritize"]
	  B --> C["Remediate or compensate"]
	  C --> D["Validate"]
	  D --> E["Report and track"]

What to notice:

  • prioritization happens before broad remediation
  • compensating controls may appear when immediate patching is not feasible
  • validation is a required step, not a nice extra

Workflow roles that matter

Stage What a strong team does
Discover uses inventory and scanning to identify likely weaknesses
Analyze confirms scope, exposure, business impact, and exploitability
Prioritize ranks findings by risk, not just scanner order
Remediate patches, reconfigures, isolates, or applies compensating controls
Validate rescans, retests, or otherwise confirms the weakness is actually reduced
Report records owner, status, evidence, and remaining risk

What good prioritization looks like

Security+ usually rewards risk-based prioritization:

  • asset criticality
  • exploitability
  • external exposure
  • business impact
  • availability constraints

A medium severity finding on a public-facing identity service may matter more than a higher raw score on an isolated lab box.

Vulnerability-ticket example

 1finding_id: VULN-2026-118
 2asset: idp-gateway-01
 3exposure: public
 4severity: medium
 5business_impact: high
 6owner: identity-team
 7planned_action: mitigate_now_patch_next_window
 8compensating_controls:
 9  - restrict_admin_path
10  - increase_monitoring
11validation_due: 2026-03-30

What to notice:

  • risk is driven by exposure and business impact, not only the scanner label
  • the finding has an owner and a planned action
  • compensating controls are documented rather than implied

Scan versus penetration test

Security+ keeps returning to this distinction because it affects how findings should be interpreted:

  • a vulnerability scan identifies likely weaknesses broadly
  • a penetration test demonstrates exploitability and impact under authorized scope

If a question asks for proof that a weakness is exploitable, a scan alone is usually not enough.

What strong answers usually do

  • use scanner output as input, not as the final decision
  • combine severity with exposure, asset value, and exploitability before prioritizing
  • document ownership and next action so findings become operational work instead of stale reports
  • verify that remediation actually reduced the risk before closing the issue

Common traps

  • patching by scanner score only
  • confusing a vulnerability scan with a penetration test
  • failing to retest after a remediation change
  • ignoring reporting and ticket ownership
  • treating an unactioned finding list like a vulnerability-management program

Harder scenario question

An internal scan shows a high-severity finding on a lab system that is offline most of the time, while a medium-severity finding affects a public identity portal used by all employees and customers. Patch windows are limited this week. Which response is strongest?

A. Patch the lab system first because the scanner score is higher
B. Prioritize the public identity portal because exposure, criticality, and business impact make the risk higher despite the lower scanner score
C. Ignore both findings until the next quarter
D. Delete the lower-scored finding from the report to reduce noise

Best answer: B. Security+ expects risk-based prioritization. Public exposure and business impact can outweigh a higher raw severity on an isolated low-value asset.

Quiz

Loading quiz…

Continue with 4.4 Alerting, Monitoring & Telemetry to connect vulnerability workflows to the signals that show whether controls are working.

4.2 Asset Management
4.4 Alerting, Monitoring & Telemetry