CURRENT CYSA+ V4 OBJECTIVES

CySA+ Vulnerability Management Guide

Prepare for CS0-004 Domain 2 with modern scanning methods, defensible tool-output analysis, exploit-informed prioritization, remediation choices, and validation workflows.

Last updated: July 17, 2026Domain 2: 26%Exam code: CS0-004
CompTIA CySA+

Version correction: CS0-004 is now current

CompTIA launched CySA+ V4 on June 23, 2026. CS0-003 remains available as the retiring V3 English exam until December 22, 2026, but new candidates should use CS0-004 objectives. Vulnerability Management changed from 30% in V3 to 26% in V4.

CS0-004 Domain 2 objective map

CompTIA groups the current domain around four analyst outcomes. Study the decision process and evidence, not only tool names.

2.1

Select scanning methods

Choose suitable techniques across systems, networks, applications, cloud, and software supply chains.

2.2

Analyze tool output

Interpret findings, validate evidence, and distinguish vulnerability, exposure, and scanner error.

2.3

Prioritize & mitigate

Combine scoring, exploitation evidence, threat intelligence, asset criticality, and compensating controls.

2.4

Apply risk & controls

Connect treatment decisions to ownership, policy, compliance, exceptions, and reporting.

OBJECTIVE 2.1

Select the right scanning method

The best scan balances visibility, authorization, production impact, credentials, target type, and freshness. Define scope and safe operating limits before choosing a scanner.

Infrastructure scanning

Authenticated scans inspect configuration and patch state with fewer guesses; unauthenticated scans show an attacker’s external view. Internal, external, agent-based, and agentless methods answer different questions.

  • Schedule intrusive checks around operational constraints and rate limits.
  • Use asset inventory and discovery to identify blind spots before measuring coverage.
  • Record scanner engine, plugin/feed version, credentials, scope, and exclusions.

Application, cloud, container & software scanning

Modern programs combine DAST, SAST, software composition analysis (SCA), secrets scanning, IaC checks, cloud configuration assessment, container image scanning, and runtime context.

  • SCA maps dependencies and transitive packages to advisories and license risk.
  • Container scans should cover base images, packages, secrets, configuration, and deployed runtime exposure.
  • Cloud findings need account, identity, public exposure, region, and control-plane context.

OBJECTIVE 2.2

Analyze and validate tool output

Scanner output is evidence to investigate, not an automatic verdict. Confirm asset identity, affected version/configuration, reachability, detection method, and whether a compensating control changes practical exposure.

Validate a finding

  1. 1. Confirm the asset, owner, service, and scan timestamp.
  2. 2. Read the plugin evidence and detection method.
  3. 3. Verify version, configuration, and exposure manually or with a second safe method.
  4. 4. Document false-positive reasoning and evidence.

Explain false results

  • False positive: banner/backport mismatch, stale inventory, proxy response, or unrecognized compensating control.
  • False negative: missing credentials, excluded target, blocked probe, stale plugin, ephemeral asset, or untested code path.

OBJECTIVE 2.3

Exploit-informed prioritization

CVSS estimates technical severity. EPSS estimates near-term exploitation probability, CISA KEV confirms known exploitation, and business context measures what the exposed asset means to the organization.

Prioritization decision flow

  1. 01

    Validate

    Is the finding real and current?

  2. 02

    Check exploitation

    KEV, EPSS, exploit maturity, threat intel.

  3. 03

    Map exposure

    Reachability, privileges, attack path.

  4. 04

    Add impact

    Asset criticality, data, safety, availability.

  5. 05

    Set SLA

    Owner, treatment, deadline, escalation.

OBJECTIVES 2.3, 2.4

Choose and govern remediation

Treatment must match risk appetite, operational constraints, ownership, and evidence. Emergency changes may be justified, but they still require authorization, rollback planning, and validation.

Vulnerability treatment comparison
TreatmentUse whenExamplesRequired evidenceFollow-up
FixA supported correction is feasiblePatch, upgrade, secure configuration, remove componentChange approval, test, rollback planRescan and service validation
MitigateImmediate fix is unavailable or disruptiveSegmentation, WAF rule, disable feature, restrict identityControl effectiveness and residual riskMonitor and track permanent fix
AcceptResidual risk is within approved toleranceLow-impact legacy exception with safeguardsNamed risk owner, rationale, expiry datePeriodic review and reauthorization
TransferAnother party can bear defined financial/operational riskInsurance or contractual allocationCoverage, exclusions, obligationsStill reduce preventable technical risk

OBJECTIVES 2.2–2.4

Validate, measure & communicate

A ticket marked complete is not proof. Verify the control state and business service, then communicate residual risk in language appropriate for technical owners and decision-makers.

Technical validation

Rescan, inspect configuration/version, test the affected path safely, and confirm compensating-control telemetry.

Program metrics

Coverage, credential success, age, SLA compliance, mean time to remediate, reopen rate, exceptions, and risk reduction.

Reporting

State affected assets, evidence, exploit context, impact, owner, treatment, deadline, residual risk, and escalation path.

MODERN TOOL CONTEXT

Tool and data-source map

Know the purpose, input, output, and limitations of tool categories. Product-specific menus are less important than interpreting evidence.

Infrastructure

Nessus, Greenbone/OpenVAS, Qualys VMDR, and Nmap.

Web & application

Burp Suite, SAST/DAST, API testing, secrets scanning, and authenticated application context.

Cloud & containers

Trivy, cloud security posture management, IaC scanning, image registries, and runtime exposure.

Software composition

OWASP Dependency-Check, SCA, SBOMs, package monitoring, and transitive dependencies.

Vulnerability records

NVD and CVE identify and enrich known vulnerabilities.

Exploitation context

CISA KEV, EPSS, threat intelligence, and exploit maturity.

Interactive analyst scenarios

Choose an action before opening the answer. More than one response may eventually be required; select the best next step from the evidence provided.

Scenario 1: A scan reports CVSS 9.8 on an Internet-facing Apache server. Patch immediately, disable it, report a false positive, or notify the owner and initiate the approved change process?
Best answer: validate the affected version and exposure, notify the owner, and initiate the approved or emergency change process. Immediate containment may be necessary if exploitation is active, but uncontrolled patching or shutdown can create additional impact.
Scenario 2: A medium-CVSS flaw appears in CISA KEV on an externally reachable identity gateway, while a critical flaw affects an isolated test host. Which goes first?
Best answer: prioritize the known-exploited, reachable identity gateway after validating both findings. Active exploitation, exposure, privilege impact, and asset role outweigh base score alone.
Scenario 3: A patched Linux server is still flagged because the package version looks old, but the vendor backported the security fix. What should the analyst do?
Best answer: verify the vendor advisory and installed build, document the backport evidence, and mark the scanner result as a validated false positive or create a narrowly scoped exception. Do not suppress all findings for that product.
Scenario 4: A container image has a critical library CVE, but the vulnerable function is not reachable in the deployed service. Can the team close it?
Best answer: treat reachability as prioritization evidence, not proof that risk is permanently absent. Confirm deployment context, exploit path, and compensating controls; assign a time-bound treatment and rescan the rebuilt image.

Continue with timed practice

Review every explanation, including correct answers, and note which evidence changed the priority or treatment.

Try the CySA+ quiz

Verified references

Version, launch date, domain weighting, and objective summaries were verified against CompTIA’s current CySA+ V4 page on July 17, 2026.