During a vulnerability scan, which activity is typically not performed?

• A. Automated vulnerability checks
• B. Active exploitation of vulnerabilities
• C. Credentialed checks
• D. Reporting discovered weaknesses

Answer: (B)

Vulnerability scanning is all about discovering weaknesses without taking control of systems. The goal is to identify what needs remediation, not to prove what an attacker could break into. That makes the step of actively exploiting vulnerabilities outside the typical scan process. Scanners perform automated vulnerability checks against known issues and, if allowed, credentialed checks using valid access to see deeper configuration problems. After scanning, a report is generated to guide remediation efforts.

Exploitation, on the other hand, is a later phase associated with penetration testing or controlled attack simulations. It involves attempting to exploit found weaknesses to verify impact, which carries higher risk and requires explicit authorization and safeguards. So, actively exploiting vulnerabilities is not part of a standard vulnerability scan; it belongs to a broader testing activity conducted separately.