7.1.1. Assessment Types and Scoping
💡 First Principle: A vulnerability scanner is a tool; vulnerability assessment is a process. The scanner identifies potential vulnerabilities; the assessment validates findings, eliminates false positives, contextualizes risk, and produces actionable prioritized remediation plans. Raw scanner output is not an assessment — it is input to an assessment.
Scan types and their characteristics:
| Scan Type | Authentication | What It Finds | Use Case |
|---|---|---|---|
| Unauthenticated (external) | None | Exposed services; network-level vulns; banner info | Simulates external attacker; minimal access required |
| Authenticated (credentialed) | OS/app credentials | Installed software versions; patch state; config settings | More comprehensive; fewer false positives; requires credential management |
| Agent-based | Agent on host | Same as authenticated + real-time continuous monitoring | Best coverage; requires deployment and maintenance |
| Web application scan | Optional | OWASP Top 10 class vulnerabilities; input handling; auth issues | Requires app-specific scanner, not port/service scanner |
CVSS v3.1 score groups:
| Metric Group | What It Measures | Adjustable? |
|---|---|---|
| Base Score | Intrinsic vulnerability characteristics (attack vector, complexity, impact on CIA) | No |
| Temporal Score | Current exploitation state (exploit code maturity, fix availability) | Yes — changes over time |
| Environmental Score | Organization-specific context (asset criticality, compensating controls) | Yes — per organization |
CVSS severity bands:
| Score | Severity | Typical Response SLA |
|---|---|---|
| 0.1–3.9 | Low | 180 days |
| 4.0–6.9 | Medium | 90 days |
| 7.0–8.9 | High | 30 days |
| 9.0–10.0 | Critical | 15 days (immediately if actively exploited) |
False positives vs. false negatives:
- False positive: Scanner reports a vulnerability that isn't actually present or exploitable. Cause: version detection errors, outdated signatures, missing context. Effect: wastes remediation effort; erodes trust.
- False negative: Scanner misses a real vulnerability. Cause: insufficient signatures, encrypted traffic, coverage gaps. Effect: false assurance.
Authenticated scans have significantly fewer false positives than unauthenticated scans because they read actual installed versions rather than guessing from service banners.
Vulnerability management lifecycle:
⚠️ Exam Trap: A penetration test and a vulnerability assessment are not interchangeable. A vulnerability assessment identifies and reports potential vulnerabilities — it does not exploit them. A penetration test actively exploits vulnerabilities to confirm they are real, chains them together, and demonstrates actual impact. VA provides coverage breadth; pentest provides confirmed exploitability and business impact.
Reflection Question: An organization runs quarterly authenticated vulnerability scans and achieves 92% patch compliance within SLA. The CISO presents this as evidence of a mature vulnerability management program. A penetration tester then compromises the organization through a business logic flaw in the web application and an unpatched legacy system not in the asset inventory. What three gaps does this reveal about the vulnerability management program?
