Table of Contents

Click Here to Return To the CompTIA PenTest+ Course Page

Vulnerability Discovery and Analysis is 17% of the CompTIA PenTest+ (PT0-003) exam. This module covers how you scan for weaknesses, separate real findings from noise, and decide which flaws to attack first. A scanner gives you a list. Your job is to prove which items are real and which matter.

You take the live hosts and services from reconnaissance and look for exploitable weaknesses. Then you analyze the results, validate them, and prioritize. The scanner is the easy part. The analysis is what separates a professional report from an automated dump.

Vulnerability Scan Types

You match the scan to the target. Each type finds different classes of flaws.

Scan typeWhat it checksExample tool
Network scanOpen ports, service versions, known CVEsNessus, OpenVAS
Host-based scanLocal patches, configuration, missing hardeningNessus agent
Container scanVulnerable packages in container imagesGrype, Trivy
Application scanWeb and code flawsNikto, Burp Suite

Application scanning has its own sub-methods you must know:

  • DAST (Dynamic Application Security Testing) - tests the running application from the outside, like a real attacker
  • SAST (Static Application Security Testing) - reads the source code without running it
  • IAST (Interactive Application Security Testing) - combines both, instrumenting the app while it runs
  • SCA (Software Composition Analysis) - finds known-vulnerable third-party libraries and dependencies

You run an unauthenticated web scan with Nikto to find obvious server misconfigurations:

nikto -h https://app.example.com

You scan a container image for vulnerable packages with Trivy:

trivy image nginx:1.18.0

Authenticated vs. Unauthenticated Scans

The level of access changes what a scan can see.

ScanAccessFinds
UnauthenticatedNo credentials, outside viewWhat an external attacker sees
AuthenticatedValid credentials, inside viewMissing patches, weak local config, deeper flaws

Authenticated scans find far more because they read the system from the inside. You also run secrets scanning to find exposed keys and passwords. TruffleHog digs through Git history for committed secrets:

trufflehog git https://github.com/example/repo

Industrial Control System (ICS) Assessment

ICS and OT environments are fragile. A scan that a normal server shrugs off can crash a programmable logic controller and stop a production line. You assess them carefully:

  • Manual assessment instead of aggressive automated scanning
  • Port mirroring to passively watch traffic without sending packets to sensitive devices

Never run a default Nessus scan against a live ICS network. You watch and ask, you do not blast. For more on why these environments are so risky, see why OT and ICS cybersecurity is fundamentally broken .

Analyzing Results

Scanners lie in both directions. You analyze the output to classify each result.

ResultMeaningYour action
True positiveA real, confirmed vulnerabilityReport and prioritize it
False positiveThe scanner flagged a flaw that is not realDiscard it after manual verification
False negativeA real flaw the scanner missedFind it through manual testing

You correlate output from reconnaissance, scanning, and enumeration to confirm findings. A scanner that reports “Apache 2.4.49 path traversal” means little until you manually confirm the version and prove the path traversal works.

Physical Security Concepts

Penetration testing is not only digital. The exam covers physical attacks you may be asked to assess:

  • Tailgating - following an authorized person through a secure door
  • Site surveys - mapping cameras, guards, entrances, and badge readers
  • USB drops - leaving malicious USB drives for curious employees to plug in
  • Badge cloning - copying an RFID access badge
  • Lock picking - bypassing physical locks

Prioritizing Attacks

You cannot exploit everything, so you rank findings before you attack. The exam expects you to use standard scoring systems:

StandardPurpose
CVEA unique ID for a specific known vulnerability
CWEA category of weakness, like “SQL injection”
CVSSA 0 to 10 severity score for a vulnerability
EPSSThe probability a vulnerability will be exploited in the wild

CVSS tells you how bad a flaw is in theory. EPSS tells you how likely attackers are to use it in practice. You combine both, then weight for end-of-life systems, default configurations, and exposed running services. A CVSS 7.5 flaw with a high EPSS score on an internet-facing server outranks a CVSS 9.8 flaw on an isolated, patched host.

Next Steps

You now have a validated, prioritized list of weaknesses. Move to Attacks and Exploits , the largest domain, to exploit them, then Post-exploitation and Lateral Movement to expand access. Revisit Reconnaissance and Enumeration if a finding needs more context, and return to the CompTIA PenTest+ Course for the full path.