Vulnerability Management for CompTIA CySA+

This page covers the Vulnerability Management domain of the CompTIA CySA+ certification. Master Cybersecurity offers 108 practice questions in this domain, drawn from the same content we use across our timed exam simulations. Below are five sample questions with full answer explanations.

Sample Practice Questions

  1. Question 1

    A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat?
    1. A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L
    2. B. CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
    3. C. CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H
    4. D. CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H
    Explanation

    The correct answer is: A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L.

    The CVE metric that best fits a zero-day with no user interaction, no privilege escalation, network-reachable exploitation, and high impact to confidentiality and integrity but not availability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L. AV:N captures network reachability, AC:L captures low complexity, PR:N captures no privilege requirement, and UI:N captures no user interaction. The high-confidentiality / high-integrity / low-availability impact aligns with the question's profile better than the other vector strings, which either require user interaction (UI:R or UI:H), elevated privileges (PR:H or PR:R), or local rather than network attack vectors. Only the first vector matches the full set of conditions.

  2. Question 2

    An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed: Which of the following tuning recommendations should the security analyst share?
    1. A. Set an HttpOnly flag to force communication by HTTPS
    2. B. Block requests without an X-Frame-Options header
    3. C. Configure an Access-Control-Allow-Origin header to authorized domains
    4. D. Disable the cross-origin resource sharing header
    Explanation

    The correct answer is: C. Configure an Access-Control-Allow-Origin header to authorized domains.

    The right tuning recommendation is to configure an Access-Control-Allow-Origin header to authorized domains. The vulnerability assessment output indicates CORS misconfiguration where the response allows arbitrary origins, and the fix is to restrict the header to the specific domains the application trusts. Setting an HttpOnly flag to force HTTPS confuses HttpOnly (cookie protection) with HSTS (transport policy) and is not the CORS fix. Blocking requests without an X-Frame-Options header addresses clickjacking, not CORS. Disabling the cross-origin resource sharing header would break legitimate cross-origin requests rather than fix the trust scope. Tightening the allowed origin is the targeted remediation.

  3. Question 3

    Which of the following items should be included in a vulnerability scan report? (Choose two.)
    1. A. Lessons learned
    2. B. Service-level agreement
    3. C. Playbook
    4. D. Affected hosts
    5. E. Risk score
    6. F. Education plan
    Explanation

    The correct answers are: D. Affected hosts, E. Risk score.

    Affected hosts and risk score are the two items that should be included in a vulnerability scan report. Affected hosts identify where each finding lives so remediation can be assigned, and risk score (typically CVSS plus environmental context) communicates the urgency. Lessons learned is a post-incident retrospective artifact, not a scan report element. Service-level agreement is a contract, not a scan finding. Playbook is an operational procedure, not a report item. Education plan is a training artifact. The two report essentials are the host and the risk score; everything else in a report builds context around those two columns.

  4. Question 4

    The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization?
    1. A. A mean time to remediate of 30 days
    2. B. A mean time to detect of 45 days
    3. C. A mean time to respond of 15 days
    4. D. Third-party application testing
    Explanation

    The correct answer is: A. A mean time to remediate of 30 days.

    A mean time to remediate (MTTR) of 30 days would best protect the organization when exploitation of new attacks occurs approximately 45 days after patch release. The remediation cadence must beat the exploitation window, and 30 days fits comfortably inside 45. A mean time to detect of 45 days exactly matches the exploitation window, so by the time detection happens, exploitation may already be in progress. A mean time to respond of 15 days is faster than required for detection but the question is about getting fixes deployed, which is remediation, not response. Third-party application testing is a useful practice but does not by itself produce the patching cadence that beats the exploitation window.

  5. Question 5

    A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security policies are shown below: Security Policy 1006: Vulnerability Management The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the remediation of security vulnerabilities. In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data. The Company shall prioritize patching of publicly available systems and services over patching of internally available system. According to the security policy, which of the following vulnerabilities should be the highest priority to patch?
    1. A. Name: THOR.HAMMER - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Internal System
    2. B. Name: CAP.SHIELD - CVSS 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N External System
    3. C. Name: LOKI.DAGGER - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H External System
    4. D. Name: THANOS.GAUNTLET - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Internal System
    Explanation

    The correct answer is: B. Name: CAP.SHIELD - CVSS 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N External System.

    CAP.SHIELD is the highest priority to patch per the company's vulnerability management policy. The policy prioritizes confidentiality over availability and prioritizes publicly available systems over internal ones. CAP.SHIELD has C:H (high confidentiality impact) and is on an external system, which matches both policy priorities. THOR.HAMMER has only availability impact on an internal system. LOKI.DAGGER has only availability impact even though it is external. THANOS.GAUNTLET has high confidentiality impact but is on an internal system. CAP.SHIELD is the only vector that combines high confidentiality impact with external exposure, satisfying both policy clauses simultaneously.

Other CompTIA CySA+ domains

Practice all 108 Vulnerability Management questions · Browse CompTIA CySA+