← back to blog
4 min read
  • #security-plus
  • #sy0-701
  • #study-notes

Threat, vulnerability, risk: get the vocabulary straight

Threat, vulnerability, and risk are three different words, and exam questions are written to catch people who blur them. A broken door lock sorts them out in about a minute.


I lost points on three practice questions in one night because I treated threat, vulnerability, and risk like synonyms. They are not synonyms. Security+ SY0-701 knows most people blur them, and plenty of questions are built to punish exactly that.

Here is the version that finally stuck for me, plus the traps I keep seeing in practice exams.

The door lock version

Say I run a shop with a back door, and the lock is broken.

  • The broken lock is the vulnerability. A weakness. It does nothing on its own. It just sits there being broken.
  • The burglar who might try that door is the threat. Threats act, or at least can act. Some have intent, like a thief or a disgruntled employee. Some do not, like a flood or a power outage. Either way, a threat is the thing that could come through the weakness.
  • The risk is the chance the burglar finds my door, multiplied by what it costs me if he does. Risk is not a thing you can point at. It is a calculation: likelihood times impact.

The line that made it click: you cannot patch a threat. Burglars exist whether or not my lock works. What I control is the vulnerability (fix the lock) and sometimes the impact (stop keeping cash in the back room). So when a question asks what you can remediate or mitigate, the answer is almost never the threat itself. You reduce risk by fixing vulnerabilities or shrinking impact. The threat stays out there either way.

One more word worth pinning down: an exploit is the crowbar. The vulnerability is the flaw, the exploit is the tool or technique that actually uses it. The exam loves swapping those two in answer choices.

The same three words on a small-business website

This is not just exam trivia. I build sites for local businesses, so here is the web version.

A salon website runs an old plugin with a known flaw. That flaw is the vulnerability. The bots that scan every site on the internet all day, every day, are the threat. They do not care that the salon is small. They hit my sites and yours equally.

The risk depends on what is behind the flaw. If the site is a brochure with no customer data, the impact is low, so the risk is low even though the vulnerability and the threat are both real. If the same site stores customer names and phone numbers for bookings, same vulnerability, same threat, very different risk. That is the whole point of the word: risk is where likelihood and impact meet.

How exam questions exploit the confusion

Three traps I keep running into:

  1. The label swap. "An unpatched server is exposed to the internet. Which of the following BEST describes the unpatched software?" The choices will include threat, vulnerability, risk, and exploit. The unpatched software is the vulnerability. Being internet-facing raises the risk. The threat is whoever shows up to scan it. Read the stem for the exact noun it is pointing at, not the scariest word in the scenario.

  2. Exploit vs vulnerability. If the question describes a flaw, that is the vulnerability. If it describes code or a technique that takes advantage of the flaw, that is the exploit. Flaw versus crowbar.

  3. The math giveaway. If a question hands you a probability or a dollar figure, it is a risk question, usually quantitative risk. SLE times ARO equals ALE: single loss expectancy times annual rate of occurrence equals annualized loss expectancy. You never compute a dollar value for a threat or a vulnerability. Only risk gets a number.

My quick sort when I am stuck:

  • Can I patch it or fix it? Vulnerability.
  • Does it act on its own, with intent or by accident? Threat.
  • Does it come with a likelihood or a price tag? Risk.

Where the analogy breaks

Fair warning: the door lock picture is cleaner than real life. A single server can carry hundreds of vulnerabilities, the threat landscape shifts monthly, and real-world risk numbers are estimates people argue about in meetings, not clean math. These definitions earn you exam points and a shared vocabulary. They do not make you a risk analyst.

Also, I am studying SY0-701 and eJPT right now, not certified yet. Treat this as notes from someone mid-grind who got burned by these exact questions, because that is what it is.

I drill this vocabulary the same place I drill everything else: my own app. Aldo's Toolkit is free on both stores, with SY0-701 and eJPT flashcards, quizzes, and one daily question that keeps a streak going. No ads, no tracking, and getting the daily question wrong stings just enough to make a definition finally stick.

$ share

community rating

$ ls ./comments

sign in or create an account to rate and comment.

no comments yet, be first.