CompTIA PenTest+ Domain 3: Vulnerability Discovery and Analysis

An authenticated scan logs into each target to run local security checks, yielding more vulnerability detail and considerably more accurate findings than probing only from the network.

• ASupplying credentials makes the scan authenticated, not unauthenticated; the trap reframes a credentialed scan as a faster login-free probe, which contradicts the scenario.
• CPassive scanning watches traffic without interacting with hosts; the scenario actively logs into systems with credentials, so this misidentifies the technique entirely and its data source.
• DA compliance audit checks configuration baselines, but credentialed vulnerability scanning still enumerates vulnerabilities; the trap wrongly claims the scan ignores the very weaknesses it is collecting.

A remote scan without credentials behaves like a black-box attacker, using only information it collects from outside, so it cannot read local detail such as installed patch levels.

• BRegistry and local file access require a logged-in session; with credentials forbidden the scanner cannot authenticate, so claiming full local access reverses the stated constraint.
• CStatic analysis inspects source code offline; the scenario probes running hosts over the network, so this confuses a code-review technique with a network vulnerability scan.
• DAn installed agent collects data from inside the host, the opposite of an outside-only network probe; the trap swaps the external attacker viewpoint for a local agent.

SAST tools analyze source code or compiled code to find security flaws without running the application, exactly matching examination of code inside the build pipeline.

• ADAST exercises a running application from the outside, so it cannot satisfy a requirement to analyze code without executing it; this inverts the static-versus-dynamic distinction.
• BIAST instruments and observes the application while it runs, correlating runtime data; because it needs execution, it does not match a purely source-code, non-running review.
• DFuzzing sends malformed inputs to a live endpoint and watches behavior, which requires a running target; it is a dynamic technique, not a static source-code review.

DAST tools scan a running web application from the outside for issues like cross-site scripting and SQL injection, matching the deployed-and-probed scenario precisely.

• ASAST reads source code without running the app, so it cannot probe a deployed running site from the outside; the trap swaps the static method for the required dynamic one.
• BSCA inventories third-party components and their known CVEs from manifests; it does not actively probe a live application for injection or scripting flaws as requested.
• CSource code review inspects code rather than exercising the running deployment, so it cannot deliver the outside-in dynamic probing of the live web application described here.

On Windows, unprivileged or Guest accounts cannot read the registry and system folders, so the local security checks that report patch levels never execute and findings stay empty.

• BCVSS feeds affect how findings are scored, not whether local checks collect data; a stale scoring feed would not explain Guest-level access producing empty local results.
• CEmpty results from a Guest-level login point to failed local checks, not a clean host; assuming the target is patched ignores the access problem the logs reveal.
• DThis was a credentialed network scan, not DAST; invoking dynamic web testing misdirects from the real issue, which is insufficient account privilege for local Windows checks.

The scanner flagged a vulnerability that validation proved absent, which is precisely a false positive: an alert incorrectly indicating that a vulnerability is present on the target.

• AManual testing showed no injectable parameter, so the finding is not a confirmed vulnerability; rescoring a nonexistent issue compounds the error instead of correcting the misclassification.
• CA false negative is a missed real vulnerability; here the scanner over-reported a flaw that does not exist, so this names the wrong type of detection error.
• DA zero-day is a real, previously unknown flaw; validation found no vulnerability at all, so escalating an erroneous alert to a zero-day misrepresents the confirmed result.

A false negative occurs when a security tool intended to detect a threat fails to do so, exactly as the scanner missed the genuine authentication-bypass vulnerability.

• AA false positive is an alert for a vulnerability that is not really present; here a genuine flaw existed and went unreported, which is the reverse situation entirely.
• BBaseline deviation describes drift from a hardening standard; the scenario is about the scanner failing to detect a real vulnerability, which is a detection error, not baseline drift.
• DA true negative means correctly reporting that no vulnerability exists; because a real flaw was present and undetected, calling it a benign true negative hides a coverage gap.

Assessments are meant to identify, validate, and assess exploitable weaknesses, so manually validating each finding confirms it is real before it reaches the client report.

• ARepeating the same automated scan reproduces the same output, including any false positives, so it confirms repeatability rather than whether each finding is truly exploitable.
• BRaising concurrency only speeds the scan; it does nothing to prove a reported weakness actually exists, so it cannot substitute for confirming exploitability of findings.
• CSorting by CVSS arranges findings by severity but never tests whether they are real; an unvalidated critical-scored item can still be a false positive in the report.

Local security check plugins execute only when the scanner logs in successfully, so failed or wrong credentials yield network-only results, making credential authentication the first thing to verify.

• ARemote findings were returned, so the host was clearly reachable; pursuing basic connectivity ignores that the gap is specifically in the credentialed local checks, not reachability.
• CEnvironmental metrics influence severity scoring, not whether local checks gather data; adjusting them cannot restore missing authenticated findings caused by a failed login.
• DReport format affects presentation only; if the local checks never ran, no export option will add the missing data, so format is irrelevant to the root cause.

CVSS is widely used to prioritize remediation, and consumers are expected to combine it with factors outside CVSS such as asset criticality and business impact to rank threats.

• BAlphabetical ordering bears no relationship to severity or business risk, so it would waste scarce remediation time on potentially trivial items ahead of dangerous ones.
• CDiscovery time does not indicate risk; an older critical flaw can far outweigh a newly found low-severity one, so prioritizing by recency misallocates effort.
• DScanner output order reflects plugin sequencing, not severity or context, so following it blindly ignores both CVSS scoring and the business impact that should drive prioritization.

CVSS v3.1 consists of Base, Temporal, and Environmental groups, with Base representing the intrinsic qualities that are constant over time and across user environments.

• AExploitability and Impact are the two sets of metrics inside the Base group, not the top-level metric groups, so this mislabels Base sub-components as the whole structure.
• BThreat and Supplemental are CVSS v4.0 groups; v3.1 does not use them, and intrinsic constant characteristics belong to Base, so this blends versions incorrectly.
• Dv3.1 has three groups, not four, and Temporal captures characteristics that change over time, the opposite of intrinsic constant traits, so both halves are wrong.

Default installations ship examples, documentation, and test pages that should be removed before deployment to avoid post-install exploitation, so leftover files are a real misconfiguration to remediate.

• AThe sample and default files genuinely exist on the server and have a history of being exploitable, so labeling a confirmed exposure a false positive understates a legitimate weakness.
• CConfiguration and deployment weaknesses are squarely within vulnerability assessment; excluding them because they are not code defects wrongly narrows the engagement and ignores exploitable defaults.
• DAn environmental metric tunes a score to a specific environment; it is not a substitute for reporting the underlying misconfiguration, so this conflates scoring with the finding itself.

The Temporal metrics adjust the base severity based on factors that change over time, such as the availability of exploit code, exactly matching a newly public exploit.

• BBase metrics capture intrinsic characteristics that stay constant over time, so they are not the place to record a change like an exploit becoming publicly available afterward.
• CImpact is a set of metrics within the Base group describing consequences of exploitation, not a separate group that tracks time-varying factors such as exploit maturity.
• DExploitability is a Base sub-component reflecting how a flaw can be exploited, fixed at scoring time; it does not represent the over-time changes the Temporal group records.

Environmental metrics adjust severity to a specific computing environment, considering present mitigations and the relative importance of the asset, which is exactly the tailoring requested.

• ABase metrics are assumed constant across all deployed environments, so they are intentionally not the mechanism for reflecting one organization's specific controls or asset criticality.
• BTemporal metrics track factors that change over time such as exploit maturity; they do not represent characteristics unique to a particular consumer's environment or controls.
• CThreat is a CVSS v4.0 group about exploitation likelihood over time, not the v3.1 group used to tailor a score to a specific environment's mitigations and importance.

Network applies when the component is bound to the network stack and reachable up to the entire internet, the definition of the remotely exploitable, multi-hop flaw described.

• AAdjacent limits the attack to a logically adjacent topology such as the same subnet or Bluetooth range; an internet-wide, multi-hop exploit exceeds that proximity restriction.
• BPhysical requires the attacker to touch or manipulate the device directly; a remotely reachable web service exploited across the internet involves no physical contact at all.
• DLocal means the attacker works via local read/write/execute access or user interaction rather than the network stack, contradicting an attack launched remotely from across the internet.

CVSS v4.0 consists of four groups, Base, Threat, Environmental, and Supplemental, with the Threat group taking the role the Temporal group held in v3.1.

• Bv4.0 keeps Environmental and adds Supplemental; claiming Environmental was removed misstates the structure, since environmental tailoring remains a core part of the model.
• Cv4.0 does not retain a Temporal group; that group's time-varying role was renamed and reworked as Threat, so this overlooks the key naming and scope change.
• Dv4.0 still defines four distinct metric groups; flattening everything into Base ignores Threat, Environmental, and Supplemental, which each contribute different context to scoring.

Nikto is an open-source web server scanner that checks for thousands of potentially dangerous files, identifies outdated server versions, and detects common server misconfigurations.

• Asqlmap automates detecting and exploiting SQL injection and database takeover, a narrow injection focus, not broad web-server checks for dangerous files and outdated server software.
• BHydra is an online password brute-forcing tool for authentication services; it does not enumerate web-server files, server versions, or misconfigurations as the scenario requires.
• CWireshark captures and analyzes network traffic for inspection; it is not a web-server vulnerability scanner and cannot check for dangerous files or outdated server components.

sqlmap is an open-source penetration testing tool that automates detecting and exploiting SQL injection flaws and taking over database servers, exactly matching the requirement.

• ANikto scans web servers for dangerous files and misconfigurations; it is not built to automate SQL injection exploitation or to take over a backend database server.
• COpenVAS is a broad network vulnerability scanner running many tests; it is not the specialized engine for automating SQL injection exploitation and database takeover described here.
• DNessus is a general vulnerability scanner with a wide check library, but it is not purpose-built to automate SQL injection exploitation and seize control of the database.

OpenVAS by Greenbone is an open-source full-featured vulnerability scanner that runs a large feed of vulnerability tests against networked hosts and rates findings by severity.

• ABurp Suite is primarily a web application proxy and testing platform, not an open-source network vulnerability scanner driven by a broad feed of host vulnerability tests.
• BNikto targets web servers specifically for dangerous files and misconfigurations; it is not the general network vulnerability scanner running a large vulnerability-test feed described here.
• DJohn the Ripper is an offline password-cracking tool; it does not scan networked hosts with vulnerability tests or rate discovered vulnerabilities by severity as required.

Nessus is a widely deployed vulnerability scanner with one of the largest continuously updated libraries of vulnerability and configuration checks across operating systems, network devices, databases, and web servers.

• BNmap excels at host discovery and port/service enumeration, but it is a reconnaissance tool, not a full vulnerability scanner with a large library of vulnerability and configuration checks.
• CNikto focuses narrowly on web-server checks for dangerous files and misconfigurations; it does not provide a broad multi-platform library spanning operating systems, databases, and network devices.
• Dsqlmap is specialized for SQL injection detection and exploitation, so it lacks the wide library of cross-platform vulnerability and configuration checks the team is asking for.