← Concepts
Security OperationsSY0-701 · Task 4.3

Vulnerability scanning — SY0-701

Security+ SY0-701: Learn vulnerability scanning — NIST definition, CVSS severity scoring, false positives vs. negatives, and how it differs from pen testing.

WHAT IT IS

Vulnerability scanning is "a technique used to identify hosts/host attributes and associated vulnerabilities." (NIST SP 800-115)

The weaknesses it surfaces are rooted in a precise technical meaning: a vulnerability is a "weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source." (NIST SP 800-30 Rev. 1 / FIPS 200)

Scanners automate this discovery — probing live systems and comparing what they find against databases of known weaknesses — rather than manually verifying whether a weakness is exploitable.

Mental model

Think of vulnerability scanning as a smoke detector, not a fire investigator. A smoke detector continuously monitors for a specific signal and alerts when the signal crosses a threshold; it does not determine how the fire started, how far it would spread, or whether it can be contained. In the same way, a vulnerability scanner detects and reports the presence of potential weaknesses against known signatures — it does not confirm exploitability, chain vulnerabilities together, or simulate what an attacker would actually do with access.

That distinction — detection versus exploitation — is the single frame that separates vulnerability scanning from penetration testing and from bug-bounty programs in exam questions.

When to use it

SituationVulnerability ScanningPenetration Testing
GoalIdentify hosts/host attributes and associated weaknesses (NIST SP 800-115)"Circumvent or defeat the security features of a system" (NIST SP 800-12 Rev. 1)
ScopeBroad; many systems in parallelNarrow; specific targets under defined constraints
ExploitationNo — reports potential weaknesses onlyYes — actively attempts to exploit
FrequencyContinuous or scheduled recurring runsPoint-in-time assessments
OutputList of detected weaknesses with severity scoresEvidence of successful exploitation and access paths
Skill/costLower; largely automatedHigher; requires skilled human testers

Exam questions often force a choice between the two. The deciding signal is whether the scenario requires confirming that a weakness is exploitable (penetration testing) or enumerating which weaknesses are present across the environment (vulnerability scanning).

Severity scoring: CVSS

Once a scan produces findings, prioritization relies on the Common Vulnerability Scoring System (CVSS). CVSS is "an open framework for communicating the characteristics and severity of software vulnerabilities." (FIRST.Org, CVSS v3.1 Specification Document)

CVSS v3.1 defines three metric groups:

  • Base metrics — intrinsic characteristics of the vulnerability, constant across environments; cover exploitability and impact on confidentiality, integrity, and availability.
  • Temporal metrics — characteristics that change over time, such as exploit availability or patch status.
  • Environmental metrics — organizational context, including deployed security controls and asset importance.

Base scores range from 0.0 to 10.0, mapped to qualitative ratings defined in the CVSS v3.1 specification:

RatingBase Score Range
None0.0
Low0.1 – 3.9
Medium4.0 – 6.9
High7.0 – 8.9
Critical9.0 – 10.0

CVSS scores are inputs to a vulnerability management process — the specification explicitly frames them as one factor in broader organizational decision-making, not an automatic remediation order.

COMMON MISCONCEPTION

"A vulnerability scanner tells you what an attacker can actually do."

This is the trap. A scanner reports that a weakness appears to be present based on matching observed host attributes against known vulnerability signatures. It does not confirm that the weakness is reachable, that an attack chain exists, or that exploitation would succeed in that environment. The NIST SP 800-115 definition anchors this: scanning identifies — it does not validate or exploit.

A related trap is conflating the two error directions:

  • A false positive is "an alert that incorrectly indicates that a vulnerability is present." (NIST SP 800-115) — the scanner flags something that is not actually vulnerable.
  • A false negative is an instance in which "a security tool intended to detect a particular threat fails to do so." (NIST SP 800-83 Rev. 1) — the scanner misses a weakness that is actually present.

Candidates often assume false positives are the dangerous failure mode because they cause noise. False negatives are the more consequential risk: a real vulnerability goes undetected and unremediated. Exam scenarios may describe remediation work done on a finding that turns out to be non-existent (false positive) or a breach traced to a weakness that passed the scan (false negative) — recognize which failure type each scenario describes before answering.

How it shows up on the exam

The cognitive target for vulnerability scanning questions is distinguishing automated detection from active exploitation and from manual assessment. Candidates are expected to apply the concept, not merely recall the definition.

Signal phrases to recognize:

  • "identifies hosts and associated vulnerabilities" → vulnerability scanning (NIST SP 800-115 language)
  • "circumvent or defeat security features" → penetration testing (NIST SP 800-12 Rev. 1 language)
  • "incorrectly indicates a vulnerability is present" → false positive (NIST SP 800-115 language)
  • "fails to detect a particular threat" → false negative (NIST SP 800-83 Rev. 1 language)
  • "severity score" or "CVSS" → the finding needs to be prioritized, not just detected

A common misconception exploited by exam questions is that a high CVSS base score alone dictates remediation order. The CVSS specification states that scores are inputs to a process and that organizational context (environmental metrics) adjusts the effective severity — a vulnerability with a high base score may rank lower in a specific environment once controls and asset value are factored in.

Related concepts

  • Threat intelligence — provides context about active exploitation that informs how scanner findings should be prioritized.
  • Penetration testing — the active, human-led complement to scanning; confirms exploitability that scanning only suggests.
  • Bug bounty / disclosure — a third-party discovery channel that surfaces vulnerabilities scanners may miss, operating under coordinated disclosure frameworks.

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.