Skip to content
Lesson 5 of 8

Vulnerability Analysis

5 min read

What Vulnerability Analysis Is

Vulnerability analysis is the phase where you correlate the services and versions you discovered with known security weaknesses. It is the bridge between knowing what runs on a system and understanding what could go wrong. The goal is to build a prioritized list of real and relevant vulnerabilities, not an avalanche of noise.

This phase combines automated tools with human analysis. Scanners find candidates quickly, but the pentester validates each finding, discards false positives, and assesses the real impact in the client's context. Automation amplifies your reach, but professional judgment is what turns raw data into actionable findings.

A good vulnerability analysis distinguishes between the theoretically possible and the practically exploitable. A critical vulnerability behind several layers of mitigation may be less urgent than a medium one directly accessible from the internet.

Vulnerability Scanners

Vulnerability scanners automate detection by comparing systems against databases of known flaws. Nessus is one of the most widely used commercially: it offers deep scans, a broad plugin base, and detailed reports. OpenVAS (part of Greenbone) is its open-source alternative, very capable for network assessments.

For web applications and modern discovery, Nuclei has become enormously popular. It uses community-maintained YAML templates that describe how to detect specific vulnerabilities and misconfigurations. Its speed and the huge template library make it ideal for scanning many targets quickly and keeping up with recent flaws.

Each scanner has different strengths. Nessus and OpenVAS shine on network infrastructure; Nuclei stands out on web surface and targeted verification. Combining them gives broad coverage, always validating manually what they report.

Understanding CVEs

A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to a publicly known vulnerability, with the format CVE-YEAR-NUMBER. The CVE system, maintained by MITRE, allows the entire industry to refer to the same flaw unambiguously. When a scanner reports a CVE, you can investigate exactly what it is, what it affects, and how to remediate it.

The NIST National Vulnerability Database (NVD) enriches each CVE with technical details, affected versions, references, and severity scores. Consulting the NVD or sources such as vendor advisories lets you understand the full context of a vulnerability before acting on it.

Not all CVEs are equal or equally relevant. Some require very specific conditions to be exploited; others are trivial and widely leveraged. Part of the analysis is reading the CVE description with judgment and understanding whether the exploitation conditions are met in the environment you are assessing.

False Positives and Validation

Automated scanners are prone to false positives: findings that the scanner marks as vulnerable but that actually are not, for example because the version was patched without changing the banner, or because a mitigation neutralizes the risk. Reporting false positives to the client damages your credibility and wastes their time.

That is why manual validation is indispensable. Before including a finding in the report, confirm that the vulnerability exists and is relevant in the real context. This may involve reviewing configurations, checking exact versions, or, when scope allows, a controlled proof of concept that demonstrates the problem without causing harm.

Validation also works in the other direction: scanners produce false negatives, missing real vulnerabilities. That is why human analysis always complements automation, looking for what the tools do not see, such as flawed business logic or chains of minor flaws that combined are critical.

Prioritization with CVSS

The CVSS (Common Vulnerability Scoring System) is the standard for scoring the severity of a vulnerability on a scale of 0 to 10. It is composed of base metrics (exploitability and impact), temporal metrics (exploit availability, patches), and environmental metrics (relevance to the specific environment). The score translates into categories: low, medium, high, and critical.

CVSS gives you an objective starting point for prioritizing, but it is not the final word. A high-CVSS vulnerability that is only accessible from an isolated internal network may be less urgent than a medium-severity one exposed directly to the internet. The business context and real exposure adjust the priority that the base score suggests.

The CVSS environmental metric exists precisely to incorporate that context. As a pentester, your value lies in translating generic scores into concrete priorities for the client, considering which assets are critical to their operation and which are truly exposed.

From Findings to Action

The product of this phase is a list of validated, prioritized, and documented vulnerabilities that feeds both the exploitation phase and the final report. Each entry should include the affected asset, the vulnerability, its severity, the evidence, and an impact hypothesis. This structure makes it easier to decide what to exploit and what to recommend remediating first.

Keep the analysis focused on what delivers real value. It is tempting to report every minor finding a scanner throws out, but a report saturated with low-priority noise dilutes the critical findings. Intelligent prioritization — supported by CVSS but guided by context — is what distinguishes a professional analysis from an automatic dump of results.