When analyzing vulnerability scan results:

  • Determine an approach to categorizing client assets.
  • Categorize assets according to the approach you've chosen.
  • Identify the reasons why a scanner may produce false positives.
  • Conduct results validation by comparing results to what you know about the target environment.
  • Acknowledge that you may not be able to eliminate false positives entirely.
  • Rank vulnerabilities in terms of the potential threat they pose.
  • Consider using an established ranking system like the CVSS.
  • Determine vulnerability priorities to use your time and money as effectively as possible.
  • Use threat rankings to influence how you prioritize vulnerabilities.
  • Strike a balance between a vulnerability's impact and its ease of exploitation.
  • Consider mitigation costs as an effect on your vulnerability prioritization.
  • Identify common themes in your vulnerability results and target observations.
  • Leverage a pattern of behavior on future testing efforts.
  • Use common themes to develop a more complete picture of the target environment.