CompTIA PenTest+ (PT0-003): Vulnerability Discovery and Analysis

Table of Contents
Click Here to Return To the CompTIA PenTest+ Course Page
Vulnerability Discovery and Analysis is 17% of the CompTIA PenTest+ (PT0-003) exam. This module covers how you scan for weaknesses, separate real findings from noise, and decide which flaws to attack first. A scanner gives you a list. Your job is to prove which items are real and which matter.
You take the live hosts and services from reconnaissance and look for exploitable weaknesses. Then you analyze the results, validate them, and prioritize. The scanner is the easy part. The analysis is what separates a professional report from an automated dump.
Vulnerability Scan Types
You match the scan to the target. Each type finds different classes of flaws.
| Scan type | What it checks | Example tool |
|---|---|---|
| Network scan | Open ports, service versions, known CVEs | Nessus, OpenVAS |
| Host-based scan | Local patches, configuration, missing hardening | Nessus agent |
| Container scan | Vulnerable packages in container images | Grype, Trivy |
| Application scan | Web and code flaws | Nikto, Burp Suite |
Application scanning has its own sub-methods you must know:
- DAST (Dynamic Application Security Testing) - tests the running application from the outside, like a real attacker
- SAST (Static Application Security Testing) - reads the source code without running it
- IAST (Interactive Application Security Testing) - combines both, instrumenting the app while it runs
- SCA (Software Composition Analysis) - finds known-vulnerable third-party libraries and dependencies
You run an unauthenticated web scan with Nikto to find obvious server misconfigurations:
nikto -h https://app.example.com
You scan a container image for vulnerable packages with Trivy:
trivy image nginx:1.18.0
Authenticated vs. Unauthenticated Scans
The level of access changes what a scan can see.
| Scan | Access | Finds |
|---|---|---|
| Unauthenticated | No credentials, outside view | What an external attacker sees |
| Authenticated | Valid credentials, inside view | Missing patches, weak local config, deeper flaws |
Authenticated scans find far more because they read the system from the inside. You also run secrets scanning to find exposed keys and passwords. TruffleHog digs through Git history for committed secrets:
trufflehog git https://github.com/example/repo
Industrial Control System (ICS) Assessment
ICS and OT environments are fragile. A scan that a normal server shrugs off can crash a programmable logic controller and stop a production line. You assess them carefully:
- Manual assessment instead of aggressive automated scanning
- Port mirroring to passively watch traffic without sending packets to sensitive devices
Never run a default Nessus scan against a live ICS network. You watch and ask, you do not blast. For more on why these environments are so risky, see why OT and ICS cybersecurity is fundamentally broken .
Analyzing Results
Scanners lie in both directions. You analyze the output to classify each result.
| Result | Meaning | Your action |
|---|---|---|
| True positive | A real, confirmed vulnerability | Report and prioritize it |
| False positive | The scanner flagged a flaw that is not real | Discard it after manual verification |
| False negative | A real flaw the scanner missed | Find it through manual testing |
You correlate output from reconnaissance, scanning, and enumeration to confirm findings. A scanner that reports “Apache 2.4.49 path traversal” means little until you manually confirm the version and prove the path traversal works.
Physical Security Concepts
Penetration testing is not only digital. The exam covers physical attacks you may be asked to assess:
- Tailgating - following an authorized person through a secure door
- Site surveys - mapping cameras, guards, entrances, and badge readers
- USB drops - leaving malicious USB drives for curious employees to plug in
- Badge cloning - copying an RFID access badge
- Lock picking - bypassing physical locks
Prioritizing Attacks
You cannot exploit everything, so you rank findings before you attack. The exam expects you to use standard scoring systems:
| Standard | Purpose |
|---|---|
| CVE | A unique ID for a specific known vulnerability |
| CWE | A category of weakness, like “SQL injection” |
| CVSS | A 0 to 10 severity score for a vulnerability |
| EPSS | The probability a vulnerability will be exploited in the wild |
CVSS tells you how bad a flaw is in theory. EPSS tells you how likely attackers are to use it in practice. You combine both, then weight for end-of-life systems, default configurations, and exposed running services. A CVSS 7.5 flaw with a high EPSS score on an internet-facing server outranks a CVSS 9.8 flaw on an isolated, patched host.
Next Steps
You now have a validated, prioritized list of weaknesses. Move to Attacks and Exploits , the largest domain, to exploit them, then Post-exploitation and Lateral Movement to expand access. Revisit Reconnaissance and Enumeration if a finding needs more context, and return to the CompTIA PenTest+ Course for the full path.


