In vulnerability assessment, if a second utility verifies results by exploiting the system and finds exploitable weaknesses the initial analysis said were not exploitable, what type of result is this called?

• A. True positives
• B. False positives
• C. True negatives
• D. False negatives

Answer: (D)

When a real vulnerability exists but the initial assessment reports no vulnerability, it’s a false negative. The first analysis missed something that later verification by exploiting confirms, so the negative result was incorrect. This contrasts with true positives (correctly identifying an actual vulnerability), true negatives (correctly identifying no vulnerability), and false positives (claiming a vulnerability that isn’t actually exploitable). The scenario shows a missed detection that was later proven real, which is exactly a false negative.