What is the difference between credentialed and non-credentialed vulnerability scans?

A credentialed scan authenticates to the target system using valid credentials, allowing the scanner to examine installed software versions, patch levels, registry settings, and configuration files from the inside. It produces far more accurate results with fewer false positives. A non-credentialed scan probes the target from the outside without authentication, detecting only what's visible to the network — open ports, service banners, and exploitable network-facing vulnerabilities. Credentialed scans find significantly more vulnerabilities, especially misconfigurations and unpatched software.

What is CVSS and how is it used for vulnerability prioritization?

CVSS (Common Vulnerability Scoring System) v3.1 scores vulnerabilities on a 0–10 scale based on: Attack Vector (N/A/L/P), Attack Complexity (L/H), Privileges Required (N/L/H), User Interaction (N/R), Scope (U/C), and CIA impact (N/L/H). Ratings: 0=None, 0.1–3.9=Low, 4.0–6.9=Medium, 7.0–8.9=High, 9.0–10=Critical. CVSS alone is insufficient for prioritization — it doesn't account for whether an exploit exists in the wild, asset criticality, or compensating controls. EPSS (Exploit Prediction Scoring System) adds exploitability probability.

What is EPSS and why does it matter for CS0-004?

EPSS (Exploit Prediction Scoring System) is a machine-learning model that predicts the probability that a vulnerability will be exploited in the wild within the next 30 days. CVSS measures severity; EPSS measures real-world exploitation likelihood. A high-CVSS vulnerability with low EPSS may be less urgent than a lower-CVSS vulnerability with high EPSS and active exploitation. CS0-004 tests contextual risk prioritization — combining CVSS + EPSS + asset criticality + compensating controls for accurate remediation prioritization.

How do false positives differ from false negatives in vulnerability scanning?

A false positive occurs when the scanner reports a vulnerability that does not actually exist on the target. This wastes analyst time on unnecessary remediation. A false negative occurs when the scanner fails to detect a real vulnerability that exists on the target — this is more dangerous as it creates a false sense of security. Credentialed scans dramatically reduce both by examining systems from the inside. False positives are often reduced by scanner tuning, credentialed scans, and manual validation.

CompTIA CySA+ CS0-004: Vulnerability Management Study Guide (Page 3 of 5)

Domain Overview

Vulnerability Management is 26% of the CS0-004 exam — approximately 22 questions.

This domain covers the full vulnerability management lifecycle: discovering and inventorying assets, scanning with the right methodology, analyzing and prioritizing findings using CVSS and business context, implementing remediation, validating fixes, and reporting status. It also covers compliance-driven scanning requirements for frameworks like PCI DSS and HIPAA.

Asset Discovery Scanning Methods CVSS v3.1 & EPSS Risk Prioritization Remediation & Validation Compliance Scanning

🔍 Scanning & Discovery

Asset inventory and classification
Credentialed vs. non-credentialed scans
Agent vs. agentless, active vs. passive
Internal vs. external scan perspectives

📊 Analysis & Scoring

CVSS v3.1 Base, Temporal, Environmental
EPSS — exploit prediction probability
False positive handling
Asset criticality in scoring

🩹 Remediation

Patching, config changes, compensating controls
Maintenance windows and rollback plans
Remediation tracking and exception management
Inhibitors to remediation

✅ Validation & Compliance

Retest and verify remediation effectiveness
PCI DSS, HIPAA, NIST compliance scanning
CIS Benchmark baseline scanning
Reporting status and exceptions

Key Concepts

Seven expandable sections covering every exam-tested topic.

KEYAsset Discovery & Inventory▼

Asset inventory: The foundation of vulnerability management — you can't protect what you don't know about. Inventory should capture: IP address, hostname, OS, installed software, owner, criticality classification, and location (on-premises vs. cloud).
CMDB (Configuration Management Database): Authoritative source of asset records. Should be kept current through automated discovery tools and change management integration.
Asset classification: Categorize assets by criticality (critical/high/medium/low) based on the data they process and their role. Critical assets (payment systems, identity infrastructure) require more frequent scanning and faster remediation SLAs.
Discovery methods: Active network scanning (Nmap), passive network monitoring (traffic analysis), agent deployment (EDR agents report asset details), cloud API inventory (AWS Config, Azure Resource Graph).
Shadow IT: Assets not known to the security team present unscanned risk. Discovery scanning should cover all IP space, not just known assets.

HOTScanning Methods — The Key Distinctions▼

The CS0-004 exam heavily tests scanning method distinctions. Know each pair cold.

Comparison	Option A	Option B	Key Distinction
Credentialed vs. Non-Credentialed	Credentialed: authenticates to target, examines config from inside	Non-credentialed: probes externally, only sees what's network-exposed	Credentialed = far more thorough, fewer false positives, detects misconfigs and missing patches
Agent vs. Agentless	Agent: software installed on target, provides continuous assessment, works offline	Agentless: no install needed, uses protocols (SSH/WMI/SNMP), point-in-time	Agent = persistent, works off-network. Agentless = no software install, but requires credentials and network access
Active vs. Passive	Active: sends probes to targets, detects open ports and services, generates traffic	Passive: monitors existing traffic, identifies assets by what they communicate	Active = complete but disruptive. Passive = stealthy, no disruption, misses offline assets
Internal vs. External	Internal: scanner inside network, simulates insider/lateral movement perspective	External: scanner outside perimeter, simulates internet attacker's view	Both needed. External shows attack surface; internal finds vulnerabilities unreachable from outside

⚠️ Scan planning must consider: operational impact (OT/critical systems may crash under active scanning), scan schedule (avoid peak business hours), sensitivity of targets (medical devices, ICS), and regulatory requirements (PCI DSS requires quarterly external scans).

HOTCVSS v3.1 Scoring▼

CVSS (Common Vulnerability Scoring System) v3.1 provides a standardized 0–10 score. Know the metric groups and score ranges.

Attack Vector (AV)N=Network, A=Adjacent, L=Local, P=Physical. Network is worst (remotely exploitable).

Attack Complexity (AC)L=Low (no special conditions), H=High (requires specific conditions). Low is worse.

Privileges Required (PR)N=None, L=Low, H=High. None is worst (no account needed).

User Interaction (UI)N=None, R=Required. None is worse (no user action needed).

Scope (S)U=Unchanged (impact limited to vulnerable component), C=Changed (impact extends beyond — e.g., container escape to host).

CIA ImpactC/I/A each rated N=None, L=Low, H=High. High across all three = 10.0 critical.

Score ranges: 0.0=None | 0.1–3.9=Low | 4.0–6.9=Medium | 7.0–8.9=High | 9.0–10.0=Critical

Temporal score: Adjusts Base score based on current exploit availability (Exploit Code Maturity), remediation level, and report confidence. A vulnerability with a public working exploit has a higher temporal score than one without.
Environmental score: Adjusts score based on the organization's specific context — asset criticality (Modified Impact metrics), presence of compensating controls (Modified Attack metrics).

📌 CVSS alone is not sufficient for prioritization. A 9.8 CVSS vulnerability on an isolated test system is less urgent than a 7.0 CVSS vulnerability on an internet-facing payment server with a public exploit available.

KEYEPSS & Contextual Risk Prioritization▼

EPSS (Exploit Prediction Scoring System): A machine-learning model that outputs a probability (0–1) that a vulnerability will be exploited in the wild within 30 days. Published by FIRST alongside CVSS scores for CVEs.
CVSS vs. EPSS: CVSS measures inherent severity. EPSS measures real-world exploitation probability. A high-CVSS low-EPSS vulnerability exists in theory; a lower-CVSS high-EPSS vulnerability is actively being exploited. Use both together.
CISA KEV (Known Exploited Vulnerabilities) catalog: CISA's authoritative list of CVEs actively exploited in the wild. Federal agencies must patch KEV entries within defined windows. For any organization, KEV entries should be treated as highest priority regardless of CVSS score.
Contextual factors for prioritization:
- Asset criticality — is this system storing PCI cardholder data or PHI?
- Exposure — is the vulnerability internet-facing or internal-only?
- Exploit availability — public working exploit = higher risk than theoretical
- Compensating controls — firewall blocks the attack vector? Reduces risk.
- Business impact — what happens if this system is compromised?
False positive handling: Validate before remediating. Methods: manual verification (can you actually exploit it?), credentialed rescan, vendor advisory cross-reference. False positives waste remediation resources.
False negatives: Real vulnerabilities the scanner missed. More dangerous — creates false sense of security. Reduced by credentialed scanning and multiple scanner tools.

KEYRemediation Strategies & Exception Management▼

Patching: Primary remediation — apply vendor-supplied patch to fix the underlying vulnerability. Requires testing in non-prod before production deployment and a rollback plan.
Configuration changes: Remediate by changing settings rather than patching (e.g., disable unnecessary service, remove default credential, restrict network access). Often faster than patching.
Compensating controls: When patching isn't possible (OT systems, legacy software, vendor-unsupported systems) — add controls that reduce the exploitability: WAF rule, network segmentation, additional authentication, enhanced monitoring.
Maintenance windows: Coordinate with operations to patch during pre-approved windows with minimal business impact. Emergency windows for critical/exploited vulnerabilities may need immediate approval.
Rollback plans: Before patching, document how to reverse the change if the patch causes problems. Especially critical for production systems.
Exceptions and waivers: When a vulnerability cannot be remediated in the normal SLA, document: the vulnerability, the business justification, the compensating controls in place, the risk owner's signature, and a review date. Risk acceptance = formal approval of residual risk.
Inhibitors to remediation: Organizational factors that delay or prevent patching: technical debt (old systems that can't be patched), resource constraints (staff, budget), business risk aversion (fear of downtime), SLA conflicts (24/7 availability requirements), third-party dependencies (vendor must release patch first).

Remediation Validation & Reporting▼

Retest scanning: After applying remediation, rescan the affected system to verify the vulnerability is no longer detectable. Use the same scanner and scan type as the initial discovery.
Verification: Confirm the patch is applied (check software version, registry key, or configuration file). Some patches require reboots — verify the system actually restarted.
Tracking: Vulnerability management programs track status per finding: Open → In Remediation → Patched → Verified → Closed. Exception tracking for accepted risks with review dates.
Metrics for reporting: Vulnerability density (vulns per asset), mean time to remediation (MTTR for vulnerabilities), patch compliance % (what % of systems are within SLA), critical/high open count, trending over time.
Reporting for different audiences: Technical report = full CVE list, CVSS scores, affected systems, remediation steps. Executive report = risk summary, compliance status, trend, resource needs. Compliance report = evidence of scan completion, remediation within regulatory timeframes.

Compliance-Driven Scanning Requirements▼

PCI DSS: Requires quarterly external vulnerability scans by an Approved Scanning Vendor (ASV), quarterly internal scans, annual penetration testing, and rescanning after significant changes. Critical vulnerabilities must be remediated before passing the scan.
HIPAA: Requires periodic technical and non-technical evaluations of security posture, including vulnerability assessments. No specific scan frequency mandated — "reasonable and appropriate."
NIST SP 800-53: RA-5 requires vulnerability scanning at defined frequencies. FedRAMP (cloud) requires monthly OS/web app scans.
CIS Benchmarks: Configuration baseline standards for OS, cloud, applications. Baseline scanning compares system configurations against CIS benchmarks to find misconfigurations. Different from vulnerability scanning (finding missing patches) — this finds wrong settings.
ISO 27001: Requires documented vulnerability management process as part of Annex A controls (A.12.6 — management of technical vulnerabilities).

📌 PCI DSS quarterly external scans by an ASV are the most commonly tested compliance requirement. Know: external = ASV required; internal = can use internal scanner; rescanning after changes = mandatory.

Study Checklist

Click to mark items complete.

0 of 16 complete

ScanExplain credentialed vs. non-credentialed scans and why credentialed finds more vulnerabilities

ScanDifferentiate agent-based from agentless scanning — when would you use each?

ScanExplain why both internal and external scans are required and what each reveals

ScanList 4 scan planning considerations: operational impact, schedule, sensitivity, regulatory requirements

CVSSName all 6 CVSS v3.1 Base metrics and their possible values

CVSSState the CVSS score ranges: None, Low, Medium, High, Critical

CVSSExplain what Temporal and Environmental CVSS scores add to the Base score

EPSSDefine EPSS and explain how it differs from CVSS in vulnerability prioritization

EPSSExplain what the CISA KEV catalog is and how it should be used for prioritization

TriageList 5 contextual factors beyond CVSS score that affect remediation priority

RemediateDescribe the 3 primary remediation types: patching, config changes, compensating controls

RemediateExplain when a risk exception/waiver is appropriate and what it must document

RemediateName 5 inhibitors to remediation that organizations commonly cite

ValidateDescribe the retest and verification process after remediation

ComplianceState PCI DSS vulnerability scanning requirements: quarterly external (ASV), quarterly internal, rescanning after changes

ComplianceExplain what CIS Benchmark scanning checks for vs. what vulnerability scanning checks for

Reference Tables

Quick-reference data for exam preparation.

CVSS v3.1 Metrics Reference

Metric	Abbrev	Values (worst → best)	What It Measures
Attack Vector	AV	N (Network) → A (Adjacent) → L (Local) → P (Physical)	How the attack is delivered
Attack Complexity	AC	L (Low) → H (High)	Conditions required beyond attacker control
Privileges Required	PR	N (None) → L (Low) → H (High)	What access level attacker needs first
User Interaction	UI	N (None) → R (Required)	Whether a victim must take an action
Scope	S	C (Changed) → U (Unchanged)	Does impact extend beyond the vulnerable component?
Confidentiality	C	H (High) → L (Low) → N (None)	Impact on data confidentiality
Integrity	I	H (High) → L (Low) → N (None)	Impact on data integrity
Availability	A	H (High) → L (Low) → N (None)	Impact on system availability

Compliance Scanning Requirements

Framework	Scan Frequency	Scan Type Required	Key Requirement
PCI DSS	Quarterly + after significant changes	External: ASV only. Internal: any scanner	Must pass (no critical vulns) for compliance; rescanning after remediation required
HIPAA	Periodic (no set frequency)	Technical security evaluation	"Reasonable and appropriate" — document decisions
FedRAMP	Monthly OS scans; monthly web app scans	Automated scanning tools	Continuous monitoring required; results submitted to AO
NIST SP 800-53 (RA-5)	Defined by organization based on risk	Automated tools + credentialed	Analyze scan results, prioritize remediation, share results
ISO 27001 (A.12.6)	Timely — based on risk assessment	Technical vulnerability management process	Document process, track remediation, evaluate technical controls

Scanning Method Comparison

Method	Pros	Cons	Best For
Credentialed	Deep visibility, fewer false positives, detects misconfigs and missing patches	Requires valid credentials, more setup	Comprehensive enterprise assessments
Non-credentialed	No credential management needed, simulates attacker view	Misses internal vulns, more false positives	Quick external attack surface view
Agent-based	Continuous assessment, works offline/off-network	Software install required, agent maintenance	Laptops, remote workers, cloud workloads
Agentless	No software install, uses existing protocols (SSH/WMI)	Point-in-time only, needs network access + credentials	Servers with controlled access, network devices
Passive	No disruption, stealthy, discovers assets by traffic	Misses offline systems, less detail	OT/ICS environments, initial discovery

Practice Quiz

6 scenario-based questions aligned to CS0-004 exam style.

Question 1 of 6

A vulnerability scanner reports 150 findings on a web server. After investigation, a security analyst discovers that 40 of these findings are for a TLS vulnerability that the scanner reports because the server uses TLS 1.2, even though TLS 1.2 is configured securely and the version is not actually vulnerable in this configuration. What is this type of finding called?

1 / 6

Question 2 of 6

A security team is prioritizing vulnerability remediation. They have two vulnerabilities: CVE-A with CVSS 9.8 on a development server with no internet access, and CVE-B with CVSS 7.2 on an internet-facing customer authentication portal that has an active public exploit in Metasploit and is listed on the CISA KEV catalog. Which should be remediated first?

2 / 6

Question 3 of 6

An organization is subject to PCI DSS and needs to complete their quarterly external vulnerability scan. The security team wants to use their internal Nessus scanner to run the external scan. What is the problem with this approach?

3 / 6

Question 4 of 6

A vulnerability scan identifies a critical CVE on a legacy manufacturing control system. The vendor no longer supports the software and no patch is available. The system cannot be taken offline without halting production for weeks. What is the MOST appropriate remediation approach?

4 / 6

Question 5 of 6

A security analyst needs to scan 500 laptops that are frequently used by remote workers who may be off-network for days at a time. The analyst needs vulnerability data even when the laptops aren't connected to the corporate VPN. Which scanning approach best meets this requirement?

5 / 6

Question 6 of 6

After applying patches to 200 servers during a maintenance window, what is the NEXT required step in a formal vulnerability management process?

6 / 6

Study Plan

3-week focused plan for Vulnerability Management.

Week 1 — Scanning Methods & Tools (Days 1–7)

Set up Nessus Essentials (free) or OpenVAS and run both credentialed and non-credentialed scans on a home lab VM — compare the number of findings
Build a comparison chart: credentialed vs. non-credentialed, agent vs. agentless, active vs. passive, internal vs. external — fill in pros/cons from memory
Research PCI DSS scan requirements — find the list of ASV vendors on the PCI SSC website
Read a CIS Benchmark for Windows 10/11 — note the difference between configuration baseline checks and vulnerability checks

Week 2 — CVSS Scoring & Prioritization (Days 8–14)

Practice scoring 5 CVEs using the CVSS v3.1 calculator at first.org — understand how each metric changes the score
Look up the same CVEs on EPSS (epss.cyentia.com) — compare CVSS severity vs. EPSS exploitation probability
Review CISA KEV catalog (cisa.gov/known-exploited-vulnerabilities-catalog) — understand how it works
Write prioritization scenarios: same CVSS, different context — practice reasoning through which to fix first

Week 3 — Remediation, Validation & Practice Exams (Days 15–21)

Write a compensating control plan for an unpatched legacy system — include segmentation, monitoring, and exception documentation
Map the full vulnerability lifecycle: discovery → triage → remediation → validation → reporting for one practice CVE
Take one full practice exam focused on vulnerability management questions
Complete the checklist on this page — all 16 items should be checked before the real exam

Common Exam Mistakes

5 high-frequency mistakes on this domain.

1

Using CVSS Score Alone for Prioritization

Ignoring context, exploitation status, and asset criticality

What Goes WrongCandidates select the highest CVSS score as the top priority without considering whether an exploit exists, whether the asset is internet-facing, or whether compensating controls are already in place.

The FixCVSS is the starting point, not the final answer. Combine with: EPSS (exploitation probability), CISA KEV (actively exploited), asset criticality (is this system storing PCI or PHI data?), exposure (internet-facing vs. isolated), and compensating controls already in place.

Prevention habit: "High CVSS + isolated system = lower priority than medium CVSS + internet-facing + active exploit." Context always wins.

2

Forgetting PCI DSS Requires ASV for External Scans

Thinking any scanner satisfies the quarterly external PCI scan requirement

What Goes WrongCandidates answer PCI compliance questions saying the organization can use their internal Nessus scanner for quarterly external scans. PCI DSS explicitly requires an Approved Scanning Vendor (ASV) for external scans — internal tools don't count.

The FixPCI DSS: External quarterly scans = ASV required. Internal quarterly scans = internal scanner acceptable. Rescan after significant changes = required with same scanner type. ASV is a PCI SSC-certified third party. No ASV = PCI noncompliant.

Prevention habit: "PCI external = ASV. PCI internal = any scanner." Write it down.

3

Choosing Active Scanning for OT/ICS Environments

Recommending standard active scanning without considering OT disruption risk

What Goes WrongStandard active vulnerability scans can crash or disrupt OT devices (PLCs, RTUs) that weren't designed to handle unexpected network probes. Candidates recommend active scanning without noting this risk.

The FixFor OT/ICS environments, prefer passive scanning (monitors existing traffic without sending probes) to avoid disruption. If active scanning is needed, use OT-specific scanners (Claroty, Dragos, Nozomi) designed for industrial protocols and test in a maintenance window. Never run standard IT vulnerability scanners directly against PLCs or RTUs.

Prevention habit: "OT + active scan = disruption risk." Always recommend passive scanning or OT-aware tools in industrial environments.

4

Closing Vulnerabilities Without Retest Validation

Marking vulnerabilities as closed based on patch deployment confirmation alone

What Goes WrongAfter patching, candidates assume the vulnerability is resolved and close the finding. But patches sometimes fail to apply correctly, require reboots that didn't happen, or don't address the actual vulnerable component. Without retest scanning, you don't know if it worked.

The FixThe formal vulnerability management process requires retest scanning after remediation using the same scanner type. Only close the finding after the rescan confirms the vulnerability is no longer present. Patch deployment confirmation is a prerequisite for retesting, not a replacement for it.

Prevention habit: "Patch → Retest → Verify → Close." Never skip the retest step.

5

Confusing False Positives and False Negatives

Getting the definitions backwards under exam pressure

What Goes WrongUnder time pressure, candidates reverse the definitions. False positive = waste analyst time. False negative = dangerous security gap. Mixing them up leads to wrong answers about scanner tuning and security risk.

The FixFalse Positive = scanner says VULNERABLE but system is actually FINE (scanner cried wolf). False Negative = scanner says FINE but system is actually VULNERABLE (the dangerous one). False negatives are worse from a security risk perspective. Credentialed scans reduce both by examining systems from the inside.

Prevention habit: "False positive = false alarm (annoying). False negative = missed threat (dangerous)."

Frequently Asked Questions

Top questions on the Vulnerability Management domain.

What is the difference between credentialed and non-credentialed scans? ▼

A credentialed scan authenticates to the target with valid credentials (admin/root), inspecting installed software versions, patch levels, registry settings, and configuration files from the inside. It produces far more accurate, complete results with fewer false positives. A non-credentialed scan probes from the outside, detecting only what's network-exposed — open ports, service banners, and unauthenticated exploitable services. Credentialed scans typically find 3–5x more vulnerabilities than non-credentialed scans on the same target.

What is EPSS and how does it help with prioritization? ▼

EPSS (Exploit Prediction Scoring System) is a ML model from FIRST that predicts the probability a CVE will be exploited in the wild within 30 days. It ranges from 0 to 1. CVSS measures intrinsic severity; EPSS measures real-world exploitation likelihood. Combining them: prioritize high-CVSS + high-EPSS first, especially if listed on the CISA KEV catalog. A 9.8 CVSS vulnerability with 0.002 EPSS is theoretically severe but rarely exploited; a 7.2 with 0.8 EPSS is actively being used in attacks.

When should you use compensating controls vs. patching? ▼

Patching is always preferred when available and operationally feasible. Compensating controls are appropriate when: the vendor has not released a patch, the system is legacy/unsupported, the system cannot be rebooted or taken offline (OT/ICS, critical production), or the patch requires extended testing before production deployment. Compensating controls must reduce the risk to an acceptable level (network segmentation, WAF rules, additional authentication, enhanced monitoring) and should be documented in a formal risk exception with a target remediation date.

What are the PCI DSS vulnerability scanning requirements? ▼

PCI DSS requires: (1) Quarterly external scans performed by an Approved Scanning Vendor (ASV) — internal scanners don't qualify; (2) Quarterly internal scans using any vulnerability scanner; (3) Rescanning after significant infrastructure changes; (4) The quarterly external scan must pass (no exploitable vulnerabilities in scope systems) for PCI compliance. The ASV requirement specifically applies to external scans — internal scans can use any scanning tool. Find the list of ASVs at the PCI SSC website.

How does CVSS Environmental scoring work? ▼

The Environmental Score adjusts the CVSS Base Score based on the organization's specific context. It has two components: Modified Base Metrics (you can adjust AV, AC, PR, UI, S, C, I, A to reflect compensating controls in your environment — e.g., if a firewall blocks the attack vector, increase AC) and Impact Subscore Modifiers (weight the CIA metrics based on how important confidentiality, integrity, or availability are for the specific affected asset). A payment processing system would weight Confidentiality and Integrity very high; a public web cache might weight Availability higher.

What is the difference between vulnerability scanning and penetration testing? ▼

Vulnerability scanning is automated and non-exploitative — it identifies and reports vulnerabilities without actually exploiting them. It's comprehensive in coverage but produces false positives and doesn't confirm exploitability. Penetration testing is manual, skill-dependent, and actually attempts to exploit vulnerabilities to confirm they work in context. Pen testing validates scanner findings, discovers chained vulnerabilities scanners miss, and demonstrates real business impact. PCI DSS requires both: quarterly scans plus annual penetration testing.

What does "inhibitors to remediation" mean on the CS0-004 exam? ▼

Inhibitors to remediation are organizational factors that prevent or delay vulnerability fixes. CS0-004 explicitly tests these: (1) Technical debt — aging systems that can't be easily patched; (2) Resource constraints — insufficient staff or budget; (3) Business risk aversion — fear that patching will cause downtime or break applications; (4) SLA/availability requirements — 24/7 systems that can't have maintenance windows; (5) Third-party dependencies — waiting for a vendor to release a patch. When a question asks why remediation is delayed despite a known vulnerability, one of these inhibitors is the answer.

CompTIA CySA+ CS0-004 — Vulnerability Management