OBJECTIVE 2.1
Select the right scanning method
The best scan balances visibility, authorization, production impact, credentials, target type, and freshness. Define scope and safe operating limits before choosing a scanner.
Infrastructure scanning
Authenticated scans inspect configuration and patch state with fewer guesses; unauthenticated scans show an attacker’s external view. Internal, external, agent-based, and agentless methods answer different questions.
- Schedule intrusive checks around operational constraints and rate limits.
- Use asset inventory and discovery to identify blind spots before measuring coverage.
- Record scanner engine, plugin/feed version, credentials, scope, and exclusions.
Application, cloud, container & software scanning
Modern programs combine DAST, SAST, software composition analysis (SCA), secrets scanning, IaC checks, cloud configuration assessment, container image scanning, and runtime context.
- SCA maps dependencies and transitive packages to advisories and license risk.
- Container scans should cover base images, packages, secrets, configuration, and deployed runtime exposure.
- Cloud findings need account, identity, public exposure, region, and control-plane context.
OBJECTIVE 2.2
Analyze and validate tool output
Scanner output is evidence to investigate, not an automatic verdict. Confirm asset identity, affected version/configuration, reachability, detection method, and whether a compensating control changes practical exposure.
Validate a finding
- 1. Confirm the asset, owner, service, and scan timestamp.
- 2. Read the plugin evidence and detection method.
- 3. Verify version, configuration, and exposure manually or with a second safe method.
- 4. Document false-positive reasoning and evidence.
Explain false results
- False positive: banner/backport mismatch, stale inventory, proxy response, or unrecognized compensating control.
- False negative: missing credentials, excluded target, blocked probe, stale plugin, ephemeral asset, or untested code path.
OBJECTIVE 2.3
Exploit-informed prioritization
CVSS estimates technical severity. EPSS estimates near-term exploitation probability, CISA KEV confirms known exploitation, and business context measures what the exposed asset means to the organization.
0.0
0.1–3.9
4.0–6.9
7.0–8.9
9.0–10.0
Prioritization decision flow
- 01
Validate
Is the finding real and current?
- 02
Check exploitation
KEV, EPSS, exploit maturity, threat intel.
- 03
Map exposure
Reachability, privileges, attack path.
- 04
Add impact
Asset criticality, data, safety, availability.
- 05
Set SLA
Owner, treatment, deadline, escalation.
OBJECTIVES 2.3, 2.4
Choose and govern remediation
Treatment must match risk appetite, operational constraints, ownership, and evidence. Emergency changes may be justified, but they still require authorization, rollback planning, and validation.
| Treatment | Use when | Examples | Required evidence | Follow-up |
|---|---|---|---|---|
| Fix | A supported correction is feasible | Patch, upgrade, secure configuration, remove component | Change approval, test, rollback plan | Rescan and service validation |
| Mitigate | Immediate fix is unavailable or disruptive | Segmentation, WAF rule, disable feature, restrict identity | Control effectiveness and residual risk | Monitor and track permanent fix |
| Accept | Residual risk is within approved tolerance | Low-impact legacy exception with safeguards | Named risk owner, rationale, expiry date | Periodic review and reauthorization |
| Transfer | Another party can bear defined financial/operational risk | Insurance or contractual allocation | Coverage, exclusions, obligations | Still reduce preventable technical risk |
OBJECTIVES 2.2–2.4
Validate, measure & communicate
A ticket marked complete is not proof. Verify the control state and business service, then communicate residual risk in language appropriate for technical owners and decision-makers.
Technical validation
Rescan, inspect configuration/version, test the affected path safely, and confirm compensating-control telemetry.
Program metrics
Coverage, credential success, age, SLA compliance, mean time to remediate, reopen rate, exceptions, and risk reduction.
Reporting
State affected assets, evidence, exploit context, impact, owner, treatment, deadline, residual risk, and escalation path.
MODERN TOOL CONTEXT
Tool and data-source map
Know the purpose, input, output, and limitations of tool categories. Product-specific menus are less important than interpreting evidence.
Infrastructure
Nessus, Greenbone/OpenVAS, Qualys VMDR, and Nmap.
Web & application
Burp Suite, SAST/DAST, API testing, secrets scanning, and authenticated application context.
Cloud & containers
Trivy, cloud security posture management, IaC scanning, image registries, and runtime exposure.
Software composition
OWASP Dependency-Check, SCA, SBOMs, package monitoring, and transitive dependencies.
