Free CompTIA PenTest+ PT0-002 Practice Question

As a penetration tester, you have uncovered several security flaws within your client's network infrastructure. In order to systematically convey the severity of each finding in your report, you must adhere to an industry-standard risk rating framework. Which of the following would best allow for a consistent and quantitative expression of vulnerability severity that can be understood by both technical and non-technical stakeholders?

  • Calculating severity based on the average cost of incidents associated with similar vulnerabilities in the past year

  • Relying on the Common Weakness Scoring System (CWSS) to measure the risk level of each weakness without factoring in environmental metrics

  • Employing the Common Vulnerability Scoring System (CVSS) to apply a numerical and qualitative severity level to each vulnerability

  • Developing an algorithmic risk matrix that combines asset value, threat capability, and vulnerability severity tailored to the client

This question's topic:
CompTIA PenTest+ PT0-002 / 
Reporting and Communication
Your Score:

Check or uncheck an objective to set which questions you will receive.