top of page
Writer's pictureSourav Roy

Vulnerability Scanning: The ABCs of True Positives, False Positives, True Negatives, and False Negatives in Cybersecurity

SSCP Cert Prep & Study Notes

Sourav Roy, MAS, BSC, CC



Four possible outcomes for any Vulnerability Report: 


  • True Positive: If a vulnerability scanner reports a finding and that vulnerability exists, that’s a true positive report. 

  • False Positive: If a vulnerability scanner reports a finding and that vulnerability doesn’t exist, that’s a False positive report. 

  • True Negative: If a vulnerability scanner doesn’t report a finding and that vulnerability also doesn’t exist, that’s a True Negative report. 

  • False Negative: If a vulnerability scanner doesn’t report a finding and that vulnerability exist, that’s a False Negative report. 


Note: The easiest way I found to remember this is, whenever a vulnerability scanner reports a finding, it will be a Positive report. However, depending on the actual existence of the 

vulnerability, a report can be a True or a False report. If vulnerability exists, that’s a True Positive report. If vulnerability doesn’t exist, that’s a False Positive report.  On the other hand, if a vulnerability scanner doesn’t report a finding, it will be a negative report. However, depending on the actual existence of the vulnerability, a report can be a True or a False report. If vulnerability exists, that’s a False Negative report. If vulnerability doesn’t exist, that’s a True Negative report. 




28 views0 comments

Comments


bottom of page