2,300 FINDINGS BY MONDAY. GO.

The scan itself is a Qualys VMDR deployment — a credentialed, agent-based sweep across the internal estate, supplemented by agentless network scanning for legacy infrastructure where deploying a software agent is not possible. The distinction matters and the exam tests it. An agent-based scan runs persistent software on the target host: it scans from the inside, sees installed packages, patch levels, registry keys, and running services. An agentless scan connects over the network, authenticates with a service account, and queries the same data remotely. Both are forms of credentialed scanning. The alternative — an unauthenticated scan — does not log in. It probes from the outside, the way an external attacker would. Unauthenticated scans produce far fewer findings because they cannot see inside. Northgate runs both: credentialed scans to capture the full internal picture, and monthly unauthenticated external scans from a Qualys cloud scanner positioned outside the perimeter, to see what the internet sees.

This month's credentialed sweep across the 6,000-host estate has produced 2,347 findings. That number is not the number Elena will bring to the CAB. It is the number she starts from.

She opens the Northgate CMDB in ServiceNow. Asset inventory is not glamorous work. But without it, every finding is equal, and that is the same as having no findings at all.

The CMDB — Configuration Management Database — is the foundation of everything that follows. It tells Elena which hosts are Tier 1 assets: the payment gateway cluster, the core banking system, the card processing microservices. A Critical finding on a Tier 1 host is not the same risk as an identical Critical finding on a decommissioned test server. Without the CMDB, there is no way to make that distinction. Asset inventory is not an IT administration task. It is a security function.

Each finding carries a CVE identifier — Common Vulnerabilities and Exposures — a standardised reference number assigned by MITRE and catalogued in the NIST National Vulnerability Database. Every CVE maps to a CVSS base score: Common Vulnerability Scoring System, version 3.1, a zero-to-ten number derived from eight metrics.

The base score is composed of three metric groups. The Exploitability metrics — Attack Vector (AV), Attack Complexity (AC), Privileges Required (PR), and User Interaction (UI) — describe how an attacker would reach and trigger the vulnerability. A finding with AV:N (network-reachable), AC:L (low complexity), PR:N (no privileges needed), and UI:N (no user interaction) is the worst-case attacker profile. The Scope metric (S) captures whether exploitation can affect resources beyond the vulnerable component itself. The Impact metrics — Confidentiality (C), Integrity (I), Availability (A) — score what happens to the system if exploitation succeeds. A finding that scores C:H, I:H, A:H has the potential to destroy confidentiality, integrity, and availability simultaneously. That is how you produce a 9.8.

CVSS v4.0 was ratified in 2023 and refines the model further, replacing the Scope metric with new Vulnerable System and Subsequent System impact groupings, and introducing a Supplemental metric group for contextual factors. For the SY0-701 exam, the expected framework is v3.1. Understand that v4.0 exists and improves on v3.1's handling of complex exploitation chains, but do not be surprised if exam questions still use v3.1 vector strings.

The severity bands Elena applies are fixed: Low is 0.1–3.9. Medium is 4.0–6.9. High is 7.0–8.9. Critical is 9.0–10.0. Of the 2,347 findings, 14 are Critical, 187 are High, and the rest are Medium and Low. Elena knows from experience that the 14 Criticals will consume the next three days and the 187 Highs will consume the rest of the month.

She exports the Critical findings to a Jira board: VM-CRIT-0024 through VM-CRIT-0037. Then she opens the EPSS feed alongside the CVE list.

The EPSS — Exploit Prediction Scoring System — is the second filter. Maintained by FIRST, it produces a daily probability score: given everything known about this CVE today — published exploit code, threat actor activity, honeypot hits — what is the probability it will be exploited in the wild in the next thirty days? CVSS is a static measure of potential impact. EPSS is a dynamic measure of active threat. A finding with a CVSS base score of 7.4 but an EPSS score of 0.94 — ninety-four percent probability of exploitation — should receive more immediate attention than a 9.1 CVSS with an EPSS of 0.003. Northgate's vulnerability policy mandates that any finding with EPSS above 0.70 is treated as a candidate for emergency change, regardless of CVSS band.

Three of the fourteen Criticals cross that threshold. All three involve the same CVE: a remote code execution vulnerability in the OpenSSH version running on the bank's internal jump-host cluster. CVSS 9.8. EPSS 0.88. The jump hosts sit in front of the payment gateway.

Elena opens a ServiceNow VR ticket, sets the classification to Emergency, and tags in the change manager, the platform team lead, and the CISO's office. She checks the patch release date against the Qualys first-seen timestamp. The vulnerability was published sixteen days ago. The patch has been available for fourteen.

Before recommending the patch, Elena checks finding number VM-CRIT-0026: the same CVE flagged on a second set of hosts. When she SSHs to one and checks the installed OpenSSH version, the patch is already applied. The Qualys plugin signature has not been updated and is fingerprinting the patched binary incorrectly. That is a false positive — the scanner reports a vulnerability that does not exist. False positives waste remediation effort and erode trust in the programme. She validates manually, marks the finding as a false positive in Qualys, and raises a plugin feedback report.

The more dangerous counterpart is the false negative: a genuine vulnerability that the scanner missed. False negatives produce false confidence — the security team believes the environment is clean when it is not. Common causes include scan coverage gaps (hosts that were offline during the scan window), unauthenticated scans that cannot see inside, and plugin libraries that do not yet cover newly disclosed CVEs. Northgate mitigates the last of these by running DAST tooling — Dynamic Application Security Testing — against the bank's internet-facing web applications on a separate schedule. DAST probes running applications for exploitable behaviour: injection flaws, authentication bypass, insecure direct object references. Where the pipeline also runs SAST — Static Application Security Testing — on source code before deployment, findings can be caught before they ever reach production. DAST and SAST are complementary: SAST finds code-level vulnerabilities early; DAST finds runtime vulnerabilities that only manifest in a running system.

By Wednesday afternoon, the three emergency patches are tested in the non-production jump-host environment and verified clean. Platform engineering schedules the production deployment for Thursday night, outside the core banking window. Elena builds the CAB pack.

The patch management lifecycle is not install-and-done. The professional workflow is: identify the patch and the affected population; test in a staging environment that mirrors production; deploy in a maintenance window with rollback instructions documented; verify by rescanning the patched hosts and confirming the CVE no longer appears. Skipping the test step is how patches break live systems. Skipping the verify step is how patched hosts stay on the remediation report for six months.

For VM-CRIT-0031, there is no patch. The finding is on a legacy ATM middleware component that the vendor stopped supporting in 2022. The recommended control cannot be applied. Elena raises a risk exception in ServiceNow VR. The exception documents: the CVE, the CVSS score, the reason the primary control cannot be applied, the compensating control that will be applied instead — in this case, strict network segmentation isolating the ATM subnet from the internal LAN, with east-west firewall rules permitting only the minimum required traffic — the named risk owner (the Head of Retail Technology), and a mandatory review date ninety days out. Risk acceptance is a formal decision, not an absence of one. Without a risk owner and a review date, it is not risk acceptance. It is neglect.

Friday. CAB meeting. Elena presents. The change manager, Douglas, is forty-seven, has been on the board for eleven years, and has never approved an emergency change without a fight. He is looking at slide three.

"The CVSS is 9.8. That's just a potential score. How do we know this is actually being exploited right now?" Douglas asks.

Elena pulls up the EPSS dashboard. "Eighty-eight percent probability of active exploitation in the next thirty days. Our threat intelligence feed confirms two known APT groups have published working proof-of-concept code for this CVE in the past week. The jump hosts are directly upstream of PCI-DSS scope assets. Under PCI-DSS Requirement 6.3, critical patches must be applied within one month of release. We are at fourteen days. The test results are clean. Rollback takes eleven minutes." She puts the slide up. "I am recommending we approve this tonight."

Douglas looks at the rollback slide for a long moment. Then he signs the change record.

The patches deploy Thursday night at 23:40. By 01:15 Friday morning, Elena's verification scan shows all three CVEs resolved on the production jump-host cluster. She closes VM-CRIT-0024, VM-CRIT-0025, and VM-CRIT-0033 in Jira. She updates the risk register. She logs off and goes home. The cycle starts again in four weeks.