The exam specifically tests whether you can distinguish between a false positive and a low-severity real finding. These are fundamentally different, and confusing them is a tested mistake.
False positive: The vulnerability does NOT exist on the system. Investigation reveals the scanner matched a signature but the system is not actually vulnerable. The correct action: document the investigation, mark it as a false positive, and remove it from the active remediation queue. It is not a real risk.
Low-severity finding: The vulnerability DOES exist on the system. It is real, confirmed, and present — it is just not urgent. The correct action: keep it in the tracking system, schedule remediation at the next appropriate maintenance window, and monitor it. It is a real risk that happens to be low priority.
Why this matters on the exam: A question may describe a finding that "does not require immediate action" and ask how to classify it. The answer depends entirely on whether the vulnerability is real or not — not on whether it is urgent. Closing a low-severity real finding as a false positive removes a genuine vulnerability from oversight.
The exam asks which type of scan error is more dangerous. The answer is always false negative, and the exam expects you to know why.
False positive consequence: Analyst investigates a non-existent vulnerability, documents it, closes it. Time is wasted. No breach occurs. The real security posture is unaffected.
False negative consequence: A real vulnerability exists. The scan did not detect it. The organization believes the system is clean. They do not patch. They do not monitor for exploitation. They do not include the system in incident response procedures for that vulnerability. Meanwhile, attackers may know about the vulnerability and probe for it. The false negative is an invisible blind spot that a false positive never creates.
The root cause to memorize: False negatives are caused by outdated vulnerability signatures. If the scanner's database does not have a signature for a vulnerability, it cannot detect it. The primary control: update signatures before every scan.
Exam trigger phrases for false negative questions: "unexpectedly clean report," "newly disclosed vulnerability," "signatures not updated," "organization believes it is safe but is not."
The exam tests awareness that a single CVE may have two different CVSS scores in a report — one from CVSS 2.0 and one from CVSS 3.x. This is not a discrepancy or error; it is expected because the two versions use different methodologies.
What the exam expects you to know:
- CVSS 2.0 is the legacy version; still present in older databases and some scanners
- CVSS 3.x is the current standard; more detailed scoring that often produces higher scores for the same vulnerability
- When two scores appear, note the version — do not assume the scores are interchangeable
- Use the CVSS 3.x score for prioritization when both are available
- The NVD at nvd.nist.gov publishes both versions and labels which is which
The trap answer: A question may present a scenario where an organization is using a 2.0 score of 6.5 (Medium) when the 3.x score is 9.1 (Critical) and ask what went wrong. The answer is: they used the wrong CVSS version and deprioritized a Critical finding as Medium.
A common exam mistake is treating risk tolerance as a single organizational policy that applies the same way to every finding. Risk tolerance is context-dependent and adjusts based on the specific vulnerability's characteristics.
Factors that lower risk tolerance (demand faster patching, less testing time acceptable):
- High CVSS score (especially Critical 9.0+)
- Internet-facing system affected
- Public exploit code exists or active exploitation confirmed in the wild
- Critical infrastructure organization (healthcare, utilities, financial, government)
- System directly tied to revenue or public safety
Factors that raise risk tolerance (allow standard or extended test cycle):
- Low CVSS score
- Isolated test environment; no network connectivity to production
- No public exploit code; theoretical vulnerability only
- Internal-only system with small, technical user base
Standard tiered SLAs (memorize these for the exam): Critical: 24–72 hours — High: 7–14 days — Medium: 30 days — Low: next scheduled maintenance window.
The patching dilemma (exam-tested): Patch immediately → minimizes exposure window but skips testing, introducing operational risk. Test thoroughly → minimizes operational risk but extends vulnerability window. Risk tolerance determines how this trade-off resolves for each specific finding.