To decide what to address first, CySA+ expects a risk-based prioritization approach, combining factors like:
Patch availability / ability to remediate quickly
Exploitability / likelihood of exploitation
1) Server5 (Critical + Patch Yes) — prioritize immediately
Server5 sits in the database network, is marked Critical, and a patch is available. That combination makes it one of the highest priorities because you can rapidly reduce risk on an asset with the greatest business impact.
Secbay explicitly states that prioritization should align to asset criticality and business impact, and also notes that patch availability accelerates remediation:Exact extract (Secbay Press): “Prioritize vulnerabilities based on their severity, exploitability, and potential impact… Asset Criticality: Identify and prioritize vulnerabilities based on the criticality of the assets they affect…” and “Patch Availability… Action: Prioritize vulnerabilities for which patches are readily available, as prompt remediation is possible.”
The All-in-One guide emphasizes asset value/criticality as a major driver of how fast you remediate:Exact extract (All-in-One Exam Guide): “Asset value is likely one of the most important factors in determining how quickly you should remediate vulnerabilities…”
2) Server3 (Perimeter + High) — address immediately (mitigate now, patch later)
Server3 is in the perimeter network and rated High, making it more exposed to attack paths than internal-only systems. Even though no patch is available, the analyst must still “address” it first via mitigation/compensating controls (segmentation, firewalling, disabling vulnerable services, WAF where relevant, tighter ACLs, etc.) because perimeter exposure increases likelihood of exploitation.
The All-in-One guide makes the architecture/exposure point very directly:Exact extract (All-in-One Exam Guide – Exam Tip): “The architecture of your infrastructure should be a factor… Internet-facing hosts with sensitive information will likely be your highest priority, while isolated systems… may be able to wait a bit longer for remediation.”
Secbay’s prioritization guidance also highlights focusing on critical/high impact risks first and using risk-based prioritization.
Why not the others (briefly):
Server4 (Internal, High, Patch Yes): This is a strong candidate, but when choosing only two, perimeter high exposure (Server3) plus critical database with patch (Server5) generally outranks an internal high system.
Server2 (Perimeter, Low, Patch Yes): Exposed, but Low criticality.
Server1 / Server6 (Medium, No patch): Lower criticality and no patch—typically handled after higher-risk items, or mitigated as feasible.
References (CompTIA CySA+ CS0-003 documents / study guides used):
Mya Heath et al., CompTIA CySA+ All-in-One Exam Guide (CS0-003): infrastructure architecture affects remediation priority; internet-facing hosts are typically highest priority; asset value drives remediation urgency
Secbay Press, CompTIA CySA+ Exam Prep Guide (CS0-003): vulnerability prioritization factors include asset criticality and patch availability; prioritize items with readily available patches for prompt remediation