Chapter 85 · Examples

Analyzing Vulnerabilities — Worked Examples

Five applied scenarios showing how false positives waste analyst time, how false negatives enable breaches, how CVSS version mismatches cause prioritization errors, how exposure factor guides remediation order, and how risk tolerance drives patch decisions under active exploitation.

Example 1 — False Positive Consumes Analyst Capacity at Scale
Scenario: A security team runs a vulnerability scan across 200 servers and receives 1,400 findings. The team begins investigating Priority 1 findings and notices that 60% of the Critical-rated findings — clustered around a particular application version — cannot be reproduced when manually tested. The vulnerability scanner flagged these systems because their installed application reports a version number that falls within the vulnerable range, but the vendor had released a hotfix that patched the code path without incrementing the version number. The scanner has no way to detect the hotfix and reports every system with that version number as vulnerable.

What happened: The scanner used version-based signature matching without hotfix awareness. Every system at that version is flagged, even though all of them have had the vulnerability patched via a hotfix that the scanner cannot detect. These are false positives — the vulnerability does not exist on these systems as a practical matter.

The cost: The team spends time investigating and documenting 840 false positives (60% of 1,400) before reaching the genuine findings. In a three-analyst team, this false positive volume can consume multiple days of investigation capacity before any real vulnerability receives attention.

The fix: Tune the scanner to exclude systems confirmed to have the hotfix, update the scanner signature once the vendor releases a hotfix-aware detection method, and establish a validation step before scheduling any Critical remediation — confirm the vulnerability exists before treating the finding as actionable. Do not close these findings as false positives without documenting the investigation and the hotfix confirmation.

The exam-tested distinction: Any real finding, even one at Low severity, is not a false positive. A false positive means the vulnerability does not exist. A Low-severity real finding means the vulnerability exists but is not urgent.

Example 2 — False Negative Creates a Blind Spot That Enables Breach
Scenario: A financial institution runs its monthly vulnerability scan on a Tuesday morning. On Wednesday evening, a critical vulnerability in a widely used SSL/TLS library is publicly disclosed. The disclosure includes proof-of-concept exploit code. By Thursday, threat intelligence feeds show active exploitation in the wild. The institution's security team reviews the most recent scan report, sees no findings related to the affected library, and concludes the environment is not exposed. In fact, the library is installed on seven servers that the scanner did not flag — because the scanner's signature database was updated on Monday and does not yet contain a signature for this vulnerability, which was disclosed after the update. Three of those servers are internet-facing.

What happened: The scan produced a false negative for a critical vulnerability because the signature database did not include the new vulnerability at scan time. The organization's review of the scan report created false confidence: they believed their environment was clean when seven servers were actually exposed, three of them directly reachable from the internet.

Why this is more dangerous than a false positive: A false positive creates unnecessary work. This false negative means the organization is not patching, not monitoring for exploitation, and not scanning those servers for indicators of compromise — while attackers with publicly available exploit code are actively probing for exactly this vulnerability.

The defense: Before relying on a scan report after a major public disclosure, update signatures and re-scan. Do not treat an existing scan report as covering newly disclosed vulnerabilities. When a high-severity vulnerability with public exploit code is disclosed, treat it as a potential false negative in any scan that predates the disclosure until a post-disclosure scan with updated signatures is complete.

Example 3 — CVSS Version Discrepancy Causes Prioritization Error
Scenario: A healthcare organization uses two vulnerability scanners — one for network infrastructure and one for clinical systems. Both scanners flag the same vulnerability (CVE-XXXX-YYYY) in a medical imaging system. The network scanner reports the CVSS score as 6.5 (Medium). The clinical systems scanner reports the same CVE with a score of 9.1 (Critical). The security team uses the Medium rating from the network scanner to schedule remediation in the next monthly maintenance window — 28 days away. The clinical systems scanner is using CVSS 3.x; the network scanner is using CVSS 2.0 scores from a legacy database. The 6.5 is a CVSS 2.0 score; the 9.1 is the current CVSS 3.x score for the same vulnerability.

What happened: Two scanners reported different scores for the same CVE because they are using different CVSS versions. CVSS 2.0 and CVSS 3.x use different methodologies and can produce substantially different scores for the same vulnerability. The security team relied on the lower (legacy) score without noting the version difference and deferred a Critical-severity finding for 28 days.

The consequence in context: A medical imaging system with a network-exploitable Critical vulnerability in a healthcare environment — where patient data and clinical operations are at stake — should be a 24–72 hour remediation target, not a 28-day one. The organizational context (healthcare, patient safety systems) further elevates the priority beyond what the CVSS score alone captures.

The lesson: When reviewing vulnerability findings, always note the CVSS version alongside the score. When two sources report different scores for the same CVE, use the higher (more current) version score as the basis for prioritization. For critical infrastructure organizations, the CVSS score is a floor for prioritization, not a ceiling — organizational context can only raise priority, not lower it.

Example 4 — Exposure Factor Determines Remediation Order When CVSS Scores Are Equal
Scenario: A vulnerability scan produces two High-severity findings, both scored 7.8 (CVSS 3.x). Finding A is a vulnerability in the organization's employee HR portal (internal-only, 500 users, no revenue dependency). Finding B is a vulnerability in the e-commerce checkout service (internet-facing, 200,000 customer transactions per day, direct revenue impact). The security team must decide which to patch first, given that both require the same effort and only one team has capacity to work this week.

Applying exposure factor analysis: Finding A (HR portal): a breach would expose employee PII to internal attackers; if the service goes down, employees cannot access HR functions. Estimated exposure factor: 15% (affects a small, internal-only function; no revenue impact). Finding B (checkout service): a breach exposes customer payment data and interrupts revenue generation; if exploited, the service could be disabled or compromised in ways that shut down all transactions. Estimated exposure factor: 80–100% (critical revenue path; external customer data; complete service loss possible).

The decision: With equal CVSS scores, the exposure factor drives prioritization. Finding B has a dramatically higher business impact per exploitation event. Even though the technical severity is identical, the business consequence of exploitation is not. Finding B should be patched first.

The formula in action: If the checkout service has an asset value of $2,000,000 (annual revenue throughput), an 80% exposure factor produces an SLE of $1,600,000 per incident. The HR portal at $100,000 asset value and 15% exposure factor produces an SLE of $15,000. Same CVSS score; 100× difference in business risk.

Example 5 — Risk Tolerance Decision During Active Exploitation
Scenario: A software vendor publishes a patch for a Critical vulnerability (CVSS 9.8) in a widely used web application framework. The patch is released at 9 AM on a Tuesday. By 11 AM, threat intelligence feeds confirm active exploitation of the vulnerability in the wild. The organization's standard patch policy requires a 72-hour testing window before deployment to production: install in staging, run regression tests, validate functionality, then deploy. The security team must decide whether to compress the testing cycle or follow standard procedure. The affected framework runs on 12 internet-facing production servers.

The dilemma: Standard policy (72-hour test cycle) minimizes the operational risk of deploying an untested patch that might break dependent applications. Following standard policy on a CVSS 9.8 vulnerability with confirmed active exploitation on 12 internet-facing servers means accepting a 72-hour window of known, actively-exploited exposure. This is the core patching dilemma: operational risk vs. vulnerability exposure window.

Risk tolerance adjustment: The combination of CVSS 9.8 score + active exploitation in the wild + internet-facing affected systems justifies compressing the standard test cycle. The calculated risk: deploy a less-thoroughly-tested patch and accept a small chance of application compatibility issues. The alternative risk: remain vulnerable for 72 hours to an actively exploited Critical vulnerability on internet-facing systems. For most organizations with reasonable risk tolerance, the former risk is dramatically lower.

The decision: Compress to a 4–8 hour accelerated test cycle in staging. Deploy to production by end of business Tuesday — within 12–15 hours of the exploit confirmation. Risk tolerance for a CVSS 9.8 with active exploitation on internet-facing systems is lower than for a CVSS 4.0 on an isolated internal system — the same organization, applied to different vulnerability contexts, has different appropriate risk tolerance levels.