Try 10 focused CompTIA CySA+ CS0-004 questions on Vulnerability Management, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA CySA+ CS0-004 on Web View full CompTIA CySA+ CS0-004 practice page
| Field | Detail |
|---|---|
| Exam route | CompTIA CySA+ CS0-004 |
| Topic area | Vulnerability Management |
| Blueprint weight | 26% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Vulnerability Management for CompTIA CySA+ CS0-004. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 26% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.
Topic: Vulnerability Management
A vulnerability management analyst is reviewing a critical SQL injection finding on an internet-facing customer portal that processes PII. The application owner provides a completed change ticket showing the code fix was deployed during the approved maintenance window. Policy requires validation evidence before closure, and the next scheduled external scan is five days away. What is the BEST professional decision?
Options:
A. Escalate to incident response and take the portal offline
B. Mark the vulnerability as risk accepted until the next scan
C. Close the finding because the change ticket is complete
D. Keep the finding pending validation and request targeted retesting
Best answer: D
Explanation: Remediation completion means the owner performed the planned fix, such as deploying code or applying a patch. Remediation effectiveness means evidence shows the fix actually removed or reduced the vulnerability in the affected environment. In this scenario, the system is internet-facing, handles PII, and the finding is critical, so waiting five days or closing from a change ticket alone does not meet the validation requirement. A targeted retest or validation scan is the appropriate next step, with the finding left open or pending validation until evidence supports closure. The key distinction is that implementation records support completion, while testing evidence supports effectiveness.
Topic: Vulnerability Management
A vulnerability analyst is planning a quarterly assessment for a company that recently added new public web services and VPN gateways. The security manager wants to identify weaknesses that are visible from the internet, using the same network perspective as an unauthenticated external attacker. Which scan type best meets this requirement?
Options:
A. External scan from outside the perimeter
B. Internal scan from a corporate subnet
C. Agent-based scan on managed servers
D. Credentialed scan from a domain workstation
Best answer: A
Explanation: Scan type selection depends on the scanner’s perspective and the exposure being tested. An external scan is launched from outside the organization’s network boundary and is used to find services, ports, and vulnerabilities visible to internet-based actors. That matches the manager’s requirement to assess public web services and VPN gateways from an unauthenticated outside viewpoint. Internal, credentialed, and agent-based scans can provide deeper visibility into hosts and configurations, but they do not represent what an external attacker can see from the internet.
Topic: Vulnerability Management
A vulnerability management team reviews the following asset change before the next scan cycle:
| Asset group | Change |
|---|---|
api-pay-01 to api-pay-04 | Moved from development to production payment processing |
| Data handled | Cardholder data |
| Owner | Payments operations team |
| Business constraint | No scanning during checkout peak hours |
| Compliance note | In-scope systems require authenticated vulnerability scanning |
Which scan-planning adjustment best maps to these requirements?
Options:
A. Keep the unauthenticated development scan to avoid production impact
B. Update scope and schedule authenticated scans with owner-approved windows
C. Remove the systems from scanning until the next audit
D. Run immediate peak-hour scans to meet compliance faster
Best answer: B
Explanation: Scan planning should follow current asset inventory metadata. When an asset changes owner, sensitivity, regulatory scope, or business criticality, the scan plan must be updated before the next cycle. Here, the servers are now production payment systems that handle cardholder data, so they need to be included in the regulated scope and scanned with the required authenticated method. Because they are business-critical, the schedule also needs coordination with the payments owner and a window that avoids peak checkout hours. The key is not simply scanning more aggressively; it is matching scan method, scope, authorization, and timing to the changed asset context.
Topic: Vulnerability Management
A vulnerability analyst is validating a high-risk finding for an internal customer portal. The development team asks which remediation addresses the weakness in the application itself.
Exhibit: Finding summary
Tool: DAST + code review
Endpoint: /account/search
Evidence: Database error returned when special characters are submitted in q
Code pattern: "SELECT * FROM accounts WHERE name = '" + request.q + "'"
Impact: User-supplied input can alter the database query structure
Which remediation should be prioritized?
Options:
A. Add SIEM correlation for database error spikes
B. Refactor the query to use parameterized statements
C. Suppress detailed database errors in HTTP responses
D. Block special characters in the WAF
Best answer: B
Explanation: The exhibit shows a SQL injection weakness caused by building a database query with string concatenation and untrusted request data. The remediation should fix the application implementation, not just reduce visibility or add a perimeter filter. Parameterized statements, also called prepared statements, bind user input as data instead of allowing it to change the query structure. Server-side input validation and safer error handling can also help, but they do not replace parameterized database access for this issue. A WAF or SIEM rule may be useful as a compensating or detective control, but the durable remediation belongs in the code path that constructs the query.
Topic: Vulnerability Management
A vulnerability analyst reviews an external scan for a payroll administration VM. Exploit attempts are not permitted in the current scan window, and remote administration is supposed to occur only through the corporate VPN.
Exhibit: Tool output summary
| Source | Evidence |
|---|---|
| External scanner | TCP/3389 reachable; RDP handshake completed |
| Cloud posture tool | Security group allows 0.0.0.0/0 to TCP/3389 |
| Scan scope | No credentialed checks or exploit validation run |
| Asset context | Payroll administration VM |
Which decision is BEST?
Options:
A. Confirm exploitability and open an incident for active compromise.
B. Confirm internet exposure and a control weakness; restrict RDP and rescan.
C. Run an external RDP exploit to prove the scanner is correct.
D. Downgrade the finding because no exploit proof was collected.
Best answer: B
Explanation: The scanner and cloud posture evidence are enough to prove exposure: TCP/3389 is reachable from the internet, and the security group explicitly permits that path. Because the business requirement limits administration to the VPN, this is also a confirmed control weakness. However, the evidence does not prove that authentication can be bypassed, that a specific RDP vulnerability is exploitable, or that the host is compromised. A proportionate vulnerability management response is to restrict access to the approved VPN or jump host path, then rescan to validate closure. The key distinction is exposure and misconfiguration versus proven exploitability or incident evidence.
Topic: Vulnerability Management
A vulnerability management team is preparing evidence for an ISO 27001 surveillance audit. A credentialed baseline scan of servers that process confidential customer data found two deviations from the approved Linux hardening baseline: SSH root login is enabled on 6 servers, and audit logging retention is set below the organization’s policy. The systems are business-critical, and service owners need a defensible action plan, not just raw findings. Which action is the BEST professional decision?
Options:
A. Declare the environment ISO compliant because no exploit is active
B. Send the unfiltered scanner report to the auditor
C. Map findings to ISMS controls and create risk treatment actions
D. Immediately isolate all affected servers until rebuilt
Best answer: C
Explanation: ISO 27000-series expectations focus on an information security management system (ISMS), not just whether a scanner found technical issues. Baseline scan results should be treated as control-monitoring evidence and tied to the organization’s risk assessment, Statement of Applicability, policies, asset sensitivity, remediation owners, due dates, and any compensating controls. In this case, the deviations affect confidential data systems and approved hardening requirements, so they should become documented risk treatment actions that service owners can execute and auditors can trace. The key is to convert technical findings into governed ISMS evidence and action, without claiming compliance from a lack of exploitation or disrupting critical systems without a containment need.
Topic: Vulnerability Management
A weekly external vulnerability scan flagged a public web server. The application owner asks what can be accurately stated in the remediation ticket based only on the tool output.
Exhibit: Scanner finding
Host: app.example.com
Port: 443/tcp open
Service: Apache httpd 2.4.49
Detection method: HTTP Server header
Plugin result: Potentially vulnerable version detected
Authentication: none
Exploit check: not performed
WAF/CDN: present
Options:
A. Report a confirmed exploit and require immediate rebuild.
B. Close the ticket because a WAF/CDN is present.
C. Report the host as compliant until authenticated scanning is completed.
D. Report a version-based finding and request validation.
Best answer: D
Explanation: The scanner output supports a limited, evidence-based statement: the host is externally reachable on TCP 443, and the HTTP Server header reports Apache httpd 2.4.49. Because the scan was unauthenticated and the plugin used banner detection only, it does not prove the vulnerability is exploitable, that the affected module or configuration is present, or that the WAF/CDN fully mitigates the risk. A good vulnerability report should distinguish confirmed evidence from items needing validation and should drive an action, such as owner review, configuration verification, patch status confirmation, or a credentialed/validated scan. Overstating the result as a confirmed exploit can cause poor prioritization, while dismissing it ignores a credible exposure signal.
Topic: Vulnerability Management
A vulnerability management team must assess a production medical device subnet before a planned patch cycle. The subnet contains legacy imaging systems, the vendor warns that active probes may disrupt device availability, and the network team cannot provide a maintenance window for two weeks. The CISO needs an initial inventory of hosts, services, and observed traffic with minimal performance impact. Which scan type is the BEST professional decision?
Options:
A. Breach attack simulation against the subnet
B. External unauthenticated perimeter vulnerability scan
C. Passive network discovery from a TAP or SPAN port
D. Credentialed active vulnerability scan during business hours
Best answer: C
Explanation: Scan type should match scope, sensitivity, and performance constraints. In a fragile production medical device subnet, passive discovery is the safest first step because it collects observed hosts, services, and communication patterns without actively probing endpoints. This supports initial asset and service inventory while reducing the risk of device disruption. It also gives the team evidence to plan a later maintenance-window scan or targeted validation with the vendor. A credentialed active scan can provide richer vulnerability detail, but it conflicts with the stated availability risk and lack of maintenance window.
Topic: Vulnerability Management
A vulnerability analyst is reviewing proposed controls for a critical web application finding. Based on what each control does, which control is primarily corrective?
Exhibit: Control summary
| Control | What it does |
|---|---|
| WAF rule | Blocks requests matching the exploit pattern |
| Daily scan | Reports whether the vulnerable package is present |
| SOAR playbook | Opens a ticket and isolates the affected workload after a confirmed alert |
| Patch deployment | Replaces the vulnerable package with the vendor-fixed version |
Options:
A. WAF rule
B. Daily scan
C. Patch deployment
D. SOAR playbook
Best answer: C
Explanation: Control functions are classified by the effect of the control. A corrective control fixes or restores a system after a weakness, failure, or incident condition exists. In this exhibit, deploying the vendor-fixed package removes the vulnerable software condition, so it is corrective. Blocking exploit attempts is preventative because it tries to stop exploitation before impact. Scanning is detective because it identifies and reports the condition. The SOAR playbook is responsive because it takes action after a confirmed alert, such as ticketing and isolation. The key distinction is whether the control stops, finds, reacts to, or fixes the problem.
Topic: Vulnerability Management
A vulnerability analyst has one emergency patch slot before the next maintenance cycle. The organization’s prioritization standard weighs active exploitation, relevant threat intelligence, exploitability, asset value, and business impact over base severity alone. Which vulnerability should be remediated first?
| ID | Asset and exposure | Evidence | Business impact |
|---|---|---|---|
| VULN-101 | Internet-facing SSO server | CVSS 8.1; EPSS 0.89; active exploitation reported in the same industry | Tier 1 identity service; account takeover risk |
| VULN-102 | Internal lab server | CVSS 9.8; public PoC; segmented from production | Tier 4 test asset; no sensitive data |
| VULN-103 | Public marketing site | CVSS 7.5; no known exploitation | Tier 3 asset; defacement risk only |
| VULN-104 | Internal file server | CVSS 8.8; patch available; no threat-intel match | Tier 2 asset; contains confidential documents |
Options:
A. Emergency-patch VULN-104 on the file server
B. Emergency-patch VULN-101 on the SSO server
C. Emergency-patch VULN-103 on the marketing site
D. Emergency-patch VULN-102 on the lab server
Best answer: B
Explanation: Vulnerability prioritization should combine technical severity with real-world likelihood and business consequence. VULN-101 is not the highest CVSS score, but it has active exploitation in the same industry, a high EPSS score, internet exposure, and affects a Tier 1 identity service. That combination creates both a high probability of exploitation and high impact if compromised. VULN-102 has a higher base score and a public proof of concept, but segmentation and low asset value reduce urgency. VULN-104 has meaningful impact, but the stem does not show active exploitation or a threat-intelligence match. Base severity is only one input, not the deciding factor.
Use the CompTIA CySA+ CS0-004 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA CySA+ CS0-004 on Web View CompTIA CySA+ CS0-004 Practice Test
Use the full IT Mastery practice page above for the latest review links and practice page.