A false positive can be issued if evidence shows the vulnerability does not exist, or mitigated by compensating control.

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards

From $9.99Unlock all

Prepare for the PCI ASV Test with our in-depth quizzes. Study with realistic scenarios and multiple choice questions equipped with hints and explanations. Ace your certification with confidence!

Multiple Choice

A false positive can be issued if evidence shows the vulnerability does not exist, or mitigated by compensating control.

A false positive in vulnerability testing means the report shows a vulnerability that, when you review the evidence, doesn’t actually exist or isn’t exploitable due to compensating controls. If you have solid evidence that the vulnerability isn’t present or that a compensating control blocks exploitation, the finding should be treated as a false positive rather than a real weakness. This is why the statement is true: not every flagged issue represents a genuine risk; some are resolved by additional controls or verified as non-existent after deeper assessment. For example, a scan might flag a vulnerability that a parameterized query or a functioning WAF actually mitigates, making exploitation impractical.

A false positive can be issued if evidence shows the vulnerability does not exist, or mitigated by compensating control.

Prepare for the PCI ASV Test with our in-depth quizzes. Study with realistic scenarios and multiple choice questions equipped with hints and explanations. Ace your certification with confidence!

A false positive can be issued if evidence shows the vulnerability does not exist, or mitigated by compensating control.

Get the latest from Examzify