A security analyst performs a vulnerability scan on the corporate assets and finds the following...

The correct answer is A because CVSS severity alone is not enough to confirm remediation priority. The vulnerability manager needs to know the criticality of the affected hosts/assets. For example, a slightly lower CVSS vulnerability on a public-facing, business-critical system may require faster remediation than a higher CVSS vulnerability on a low-value internal system.

The CySA+ All-in-One guide states that remediation priority should consider exploitability, whether a vulnerability is weaponized, patch availability, and asset value and criticality. It also explains that analysts must consider business impact when deciding how to remediate vulnerabilities.

The Secbay CySA+ guide also explains that vulnerability prioritization should evaluate severity, exploitability, and the criticality of affected systems, including business operations, data sensitivity, and regulatory impact.

Why the other options are incorrect:

B is incorrect because SLA information determines remediation timelines after priority is established.

C is incorrect because KPIs measure performance, not asset priority.

D is incorrect because the scenario does not state these are zero-day vulnerabilities.