CIS Vulnerability Response - ServiceNow Practice Test 2026
VR questions are usually about prioritization and workflow, not raw scanner jargon. This 213-question bank covers remediation, exceptions, groups, integrations, and response logic. The explanations help separate similar-looking answers.
What's included
- 213 questions on scanner intake, prioritization, remediation, and exceptions
- Every answer links to the ServiceNow doc page behind it
- Per-option reasoning shows why each distractor falls apart
- Built around Zurich-era behavior and the 2026 exam specs
- Yours for the long haul. Updates are included.
- Published by someone who passed all 18 ServiceNow exams on the first attempt
- Udemy backs it with a 30-day refund window
15 Free Preview Questions
Answer 5 questions free. Enter your email to continue through question 15. The full course has 213 questions on Udemy.
- AReject the request immediately.
- BAuto-approve the exception without human intervention.
- CEscalate to the CISO.
- DCreate a Problem record.
Show full explanation
Correct Answer
B - Auto-approve the exception without human intervention.
Source
ServiceNow Zurich Documentation - Exception Management
Expert Explanation
Vulnerability Response Exception Management allows organizations to define risk thresholds that determine the approval path. When a vulnerability item has a risk score below the configured threshold, the system can automatically approve the exception, bypassing the manual approval process. This reduces administrative overhead while maintaining governance for higher-risk items.
Why the Others Are Wrong
Option A (Reject immediately) goes against the purpose of exception management, which is to allow acceptable risk. Option C (Escalate to CISO) is the opposite of what you want for low-risk items. Option D (Create a Problem record) belongs to ITSM processes, not to the exception approval workflow.
Memory Tip
Think of it like a fast lane at airport security: low-risk travelers get through automatically, while higher-risk ones go through extra screening. Low risk score = auto-approved, no human needed.
Real-World Example
Your scanner flags a vulnerability on a test server that scores a 1.2 out of 100 on risk. Instead of bothering the security manager for approval, the system auto-approves the exception because 1.2 is well below the threshold of 25 you configured. The security team can focus on the items that truly matter.
- ATrue
- BFalse
Show full explanation
Correct Answer
A - True
Source
ServiceNow Zurich Documentation - VR Properties
Expert Explanation
The sn_vul.itsm_popup system property is a boolean (True/False) setting that determines whether the platform shows a confirmation popup when a user creates a Problem or Change Request from a Vulnerability or Vulnerable Item record. This gives administrators control over the user experience during ITSM integration workflows.
Why the Others Are Wrong
Option B (False) is incorrect because the property description in the question is accurate. The sn_vul.itsm_popup property does indeed control popup behavior for Problem and Change record creation from VR records, exactly as described.
Memory Tip
Break the property name apart: sn_vul (Vulnerability Response) + itsm (IT Service Management) + popup (dialog box). The name itself tells you what it does: it controls the popup that bridges VR and ITSM.
Real-World Example
A vulnerability analyst clicks "Create Problem" on a critical vulnerability. If sn_vul.itsm_popup is True, a popup appears letting them confirm details before the Problem record is created. If False, the record is created directly without the extra confirmation step. Teams that want speed disable it; teams that want verification enable it.
- AA Watch Topic
- BA Remediation Effort
- CA Remediation Task
- DA Dashboard Tab
Show full explanation
Correct Answer
B - A Remediation Effort
Source
ServiceNow Zurich Documentation - Remediation Efforts
Expert Explanation
In the Vulnerability Manager Workspace, a Remediation Effort acts as a campaign container. It groups related Remediation Tasks and Vulnerable Items under a single goal, such as "Q4 Clean-up." This makes it ideal for presenting a cohesive view of remediation progress to leadership or the Board of Directors.
Why the Others Are Wrong
Option A (Watch Topic) is for ongoing monitoring of vulnerability trends, not static board presentations. Option C (Remediation Task) is a single work item, not a campaign container. Option D (Dashboard Tab) is a UI element for displaying analytics, not a record object that groups vulnerabilities.
Memory Tip
Think "Effort = Campaign." A Remediation Effort is like a project folder: it holds all the tasks and items for one specific initiative, making it presentation-ready for executives.
Real-World Example
Your CISO wants a summary of all vulnerabilities being addressed in Q4. You create a Remediation Effort called "Q4 Clean-up," assign the relevant Remediation Tasks and VIs to it, and then present the Effort dashboard to the Board showing progress, owners, and timelines all in one place.
- AMitre
- BMicrosoft Security Response Center
- CThreat Intelligence
- DSplunk
- ENVD
Show full explanation
Correct Answer
A - Mitre
Source
ServiceNow Zurich Documentation - CWE in Vulnerability Response
Expert Explanation
Common Weakness Enumeration (CWE) is a community-developed list of software and hardware weakness types maintained by MITRE Corporation. ServiceNow Vulnerability Response uses a scheduled job to download CWE data directly from MITRE. These weakness types help categorize vulnerabilities by their root cause, enabling better analysis and prioritization.
Why the Others Are Wrong
Option B (MSRC) is Microsoft-specific and publishes patches, not CWE definitions. Option C (Threat Intelligence) handles threat indicators like IOCs, not weakness classifications. Option D (Splunk) is a SIEM tool, not a weakness taxonomy source. Option E (NVD) provides CVE and CVSS data and references CWEs, but the CWE definitions themselves originate from MITRE.
Memory Tip
CWE and MITRE share the same origin story. MITRE created CWE, just like MITRE created CVE. If you see "CWE," think "MITRE" since they are the official maintainers.
Real-World Example
Your scheduled job runs overnight and pulls the latest CWE list from MITRE. The next morning, when a scanner imports a vulnerability with CWE-79 (Cross-Site Scripting), VR already has the CWE definition loaded so analysts can see the root weakness type without leaving ServiceNow.
- Areview_request
- Bnotification_preview
- Cpreview_exception
- Dblock_request
- Erequest_exception
Show full explanation
Correct Answer
E - request_exception
Source
ServiceNow Zurich Documentation - Exception Management
Expert Explanation
In the Vulnerability Response exception process, the Request Exception button is a UI Action that opens a popup dialog. The underlying UI Page for this popup is called request_exception. This page presents the user with fields to fill in exception details such as justification, duration, and risk acceptance before submitting the request for approval.
Why the Others Are Wrong
Option A (review_request) implies a review stage, not the initial request. Option B (notification_preview) is for notification management, not exceptions. Option C (preview_exception) is a plausible distractor but not the actual page name. Option D (block_request) contradicts the purpose of requesting an exception.
Memory Tip
The UI Page name matches the button name exactly. "Request Exception" button opens "request_exception" page. ServiceNow often follows this convention where the UI Action name maps directly to the UI Page name in lowercase with underscores.
Real-World Example
An analyst finds a vulnerability on a legacy system that cannot be patched for another 90 days. They click "Request Exception," and the request_exception popup appears. They fill in the justification ("Legacy system - upgrade scheduled for Q2"), set the duration to 90 days, and submit. The request then routes to the appropriate approver based on risk score.
- Asn_vul_discovered_item
- Bsn_sec_cmn_src_ci
- Csn_vul_source_ci
- Dcmdb_ci_discovered
Show full explanation
Correct Answer
B - sn_sec_cmn_src_ci
Source
ServiceNow Zurich Documentation - Discovered Items
Expert Explanation
The Discovered Items table in ServiceNow is sn_sec_cmn_src_ci. The "sec_cmn" in the name indicates it belongs to the Security Common module, meaning it is shared across multiple security applications. "src_ci" stands for Source CI, representing configuration items as they are reported by external vulnerability scanners before being matched or reconciled with actual CMDB records.
Why the Others Are Wrong
Option A (sn_vul_discovered_item) uses an intuitive naming pattern but is not the real table. Option C (sn_vul_source_ci) similarly sounds logical but does not exist. Option D (cmdb_ci_discovered) belongs to the CMDB ecosystem, not to the security scanner intake process.
Memory Tip
Break it down: sn_sec_cmn = ServiceNow Security Common, src_ci = Source CI. Discovered Items are "source CIs" from scanners that have not yet been matched to real CMDB CIs. The "cmn" (common) part reminds you this table serves all security apps, not just VR.
Real-World Example
Your Qualys scanner imports 5,000 hosts. Each host lands in sn_sec_cmn_src_ci as a Discovered Item with the scanner-reported IP, hostname, and OS. The CI Lookup Rules then try to match each Discovered Item to an existing CMDB CI. Unmatched items stay in this table until they are either matched or manually reviewed.
- AIt forces the rule to run against all historical Closed records.
- BIt recalculates the target date for active Vulnerable Items that match the rule's condition.
- CIt resets the SLAs for all items.
- DIt creates a new rule with the same criteria.
Show full explanation
Correct Answer
B - It recalculates the target date for active Vulnerable Items that match the rule's condition.
Source
ServiceNow Zurich Documentation - Remediation Target Rules
Expert Explanation
Remediation Target Rules define the expected timeframe for remediating vulnerabilities based on conditions like severity or asset criticality. The Reapply button forces the rule to re-evaluate all currently active Vulnerable Items against its conditions and recalculate their target remediation dates. This is essential when rule parameters change and you want existing open items to reflect the updated targets.
Why the Others Are Wrong
Option A (run against Closed records) is wrong because Reapply only targets active items. Option C (reset SLAs) confuses remediation targets with the SLA framework, which is a separate mechanism. Option D (create a new rule) is wrong because Reapply acts on the existing rule, not creating a copy.
Memory Tip
Think of "Reapply" like updating a deadline policy at work. If your company changes the response time from 30 days to 14 days, you "reapply" the new policy to all open tickets. Closed tickets keep their old deadlines.
Real-World Example
Your security team decides critical vulnerabilities must now be remediated in 7 days instead of 14. You update the Remediation Target Rule and click Reapply. All active critical Vulnerable Items get their target dates recalculated to 7 days from their discovery date, while already-closed items remain unchanged.
- ARisk indicators
- BSecurity incidents
- CProblem Records
- DChange Requests
- EPolicy Exceptions
- FRisk Events
Show full explanation
Correct Answer
A - Risk Indicators and F - Risk Events
Source
ServiceNow Zurich Documentation - VR and GRC Integration
Expert Explanation
Vulnerability Response integrates with Governance, Risk, and Compliance through two primary objects: Risk Indicators and Risk Events. Risk Indicators allow GRC to monitor vulnerability metrics as ongoing risk signals, while Risk Events capture specific vulnerability occurrences that require risk assessment. Together, these bridge the gap between operational security (VR) and enterprise risk management (GRC).
Why the Others Are Wrong
Option B (Security Incidents) belongs to the SIR application, not GRC. Options C (Problem Records) and D (Change Requests) are ITSM integration points, not GRC. Option E (Policy Exceptions) is a GRC concept but not a standard VR integration point since VR has its own exception process.
Memory Tip
VR talks to GRC through "Risk" objects. Both correct answers contain the word "Risk" in them: Risk Indicators and Risk Events. If the answer has "Risk" in the name and it is a GRC object, it is likely correct.
Real-World Example
Your VR instance detects a spike in critical unpatched vulnerabilities across production servers. This triggers a Risk Event in GRC that flags the organization's IT risk register. At the same time, a Risk Indicator in GRC tracks the percentage of critical VIs past their remediation target, giving the risk committee a live metric to monitor during their quarterly review.
- AA calculation of how much money a fix will cost.
- BA container for managing multiple Remediation Tasks and VIs toward a specific goal or campaign.
- CA rename of the "Change Request" table.
- DA metric used by Performance Analytics.
Show full explanation
Correct Answer
B - A container for managing multiple Remediation Tasks and VIs toward a specific goal or campaign.
Source
ServiceNow Zurich Documentation - Remediation Effort
Expert Explanation
A Remediation Effort in the Vulnerability Response Workspace is a campaign-level container. It groups related Remediation Tasks and Vulnerable Items under a unified goal, such as "Patch Log4j across all production systems" or "Q4 Compliance Cleanup." This gives vulnerability managers a way to track, prioritize, and report on coordinated remediation activities.
Why the Others Are Wrong
Option A (cost calculation) confuses the word "effort" with financial estimation. In VR, "effort" means a coordinated initiative. Option C (renamed Change Request) is incorrect because Remediation Efforts are a separate VR construct, not a rebrand of ITSM tables. Option D (PA metric) confuses the record type with analytics measurements.
Memory Tip
Think of a Remediation Effort like a "project" in project management. It is the umbrella that holds all the individual tasks and items for one remediation campaign. Effort = Campaign Container.
Real-World Example
When Log4Shell (CVE-2021-44228) hit, your team created a Remediation Effort called "Log4j Emergency Response." Under it, they grouped 47 Remediation Tasks across different teams and 312 Vulnerable Items. The CISO could open that single Effort and see the overall progress, who was behind, and which systems were still exposed.
- ASNMP
- BService Graph
- CSOAP
- DImport Set
- ESplunk
- FREST
Show full explanation
Correct Answer
B - Service Graph, D - Import Set, and F - REST
Source
ServiceNow Zurich Documentation - VR Integrations Overview
Expert Explanation
ServiceNow Vulnerability Response supports three primary methods for importing vulnerability and CI data. Service Graph Connectors provide a standardized, CMDB-aware integration framework. Import Sets allow bulk data loading through staging tables and Transform Maps. REST APIs enable real-time programmatic data exchange with external scanners and tools. Each method serves different use cases depending on the scanner, data volume, and integration requirements.
Why the Others Are Wrong
Option A (SNMP) is a network monitoring protocol, not a VR data import method. Option C (SOAP) is an older web service protocol that is not listed as a primary VR integration method. Option E (Splunk) is a product/platform, not an integration method or protocol.
Memory Tip
Remember "SIR" but rearranged: Service graph, Import set, REST. These are the three doors through which vulnerability data enters ServiceNow. Each one is a framework or API, not a specific vendor product.
Real-World Example
A large enterprise uses all three methods: Service Graph Connector for their Qualys scanner (out-of-box integration), Import Sets for a legacy in-house scanner that exports CSVs nightly, and REST API calls from their cloud security tool that sends findings in real-time as new cloud resources are scanned.
- AVulnerability severity or CVSS-related scoring
- BAsset criticality or business impact of the CI
- CThe user’s theme settings
- DThe number of update sets in the instance
Show full explanation
Correct Answer
A - Vulnerability severity or CVSS-related scoring and B - Asset criticality or business impact of the CI
Source
ServiceNow Zurich Documentation - Risk Score Calculators
Expert Explanation
Risk Score Calculators in Vulnerability Response combine two key data points to produce a meaningful risk score. The first is the vulnerability's severity, typically derived from CVSS scores or similar rating systems. The second is the asset's criticality or business impact, which reflects how important the affected CI is to the organization. By combining "how bad is the vulnerability" with "how important is the asset," the calculator produces a prioritized risk score.
Why the Others Are Wrong
Option C (theme settings) is a UI cosmetic preference that has zero impact on security risk calculations. Option D (update sets) is a developer/admin concept related to instance configuration management, completely unrelated to vulnerability risk scoring.
Memory Tip
Risk = Threat x Impact. In VR terms, Threat = Vulnerability Severity (CVSS) and Impact = Asset Criticality. The two correct answers map directly to this classic risk formula.
Real-World Example
Two servers both have CVE-2024-1234 with a CVSS score of 9.8. Server A is a public-facing payment gateway (asset criticality: Critical). Server B is an internal test box (asset criticality: Low). The Risk Score Calculator gives Server A a score of 95 and Server B a score of 35, ensuring the payment gateway gets remediated first.
- AA change request
- BA software patch or configuration change (e.g., Microsoft KB)
- CA security policy exception
- DA firewall rule
Show full explanation
Correct Answer
B - A software patch or configuration change (e.g., Microsoft KB)
Source
ServiceNow Zurich Documentation - Vulnerability Solution Management
Expert Explanation
Vulnerability Solution Management in ServiceNow correlates known solutions with open vulnerabilities. A "Solution" in this context is specifically a software patch, hotfix, or configuration change (like a Microsoft Knowledge Base article) that directly resolves the vulnerability. The system matches solutions to vulnerabilities so remediation teams know exactly which patch to apply without manual research.
Why the Others Are Wrong
Option A (Change Request) is a process record for tracking changes, not the solution itself. Option C (Policy Exception) accepts risk rather than fixing the vulnerability. Option D (Firewall Rule) is a compensating control that limits exposure but does not eliminate the root vulnerability.
Memory Tip
A Solution in VR is the actual "medicine" for the vulnerability. Just like a doctor prescribes a specific medication (patch) rather than a hospital form (Change Request) or a bandage (firewall rule), VR Solution Management identifies the specific fix needed.
Real-World Example
Your scanner identifies 200 servers vulnerable to CVE-2024-5678. Vulnerability Solution Management automatically correlates this CVE with Microsoft KB5034567. Now your patch management team can see exactly which KB article to deploy, and as servers get patched and rescanned, the Vulnerable Items close automatically.
- AUpdate
- BRe-parent
- CDelete
- DInsert
- ERe-classify
Show full explanation
Correct Answer
A - Update and D - Insert
Source
ServiceNow Zurich Documentation - Qualys Integration
Expert Explanation
The Qualys integration for Vulnerability Response can perform two actions on the Configuration Item table: Update and Insert. When scan results come in, the integration checks if a CI already exists for the scanned host. If it does, the CI record is updated with the latest data. If no matching CI is found, a new CI record is inserted. This ensures the CMDB stays current with the assets being scanned.
Why the Others Are Wrong
Option B (Re-parent) changes CI hierarchy relationships, which is outside the scope of scanner integration. Option C (Delete) would be destructive and is not a function of the Qualys integration. Option E (Re-classify) changes CI class types, which is a CMDB management function not triggered by scanner imports.
Memory Tip
Think CRUD: the Qualys integration only does the "C" (Create/Insert) and "U" (Update) parts. It never Deletes or does structural changes like re-parenting. Scanners add and refresh data; they do not remove or restructure it.
Real-World Example
A Qualys scan runs against your data center. It finds Server-A (which already exists in the CMDB) and updates its OS version. It also discovers Server-B (a new server the infrastructure team just deployed). The integration inserts Server-B as a new CI. Neither action deletes or reclassifies anything in the CMDB.
- AField
- BSum
- COperator
- DValue
Show full explanation
Correct Answer
A - Field, C - Operator, and D - Value
Source
ServiceNow Zurich Documentation - Filter Conditions
Expert Explanation
Every filter condition in ServiceNow is built from three components. The Field identifies which column or attribute to evaluate (e.g., "Priority"). The Operator defines the comparison type (e.g., "is," "contains," "greater than"). The Value specifies what to compare against (e.g., "Critical"). Together, they form a complete condition like "Priority is Critical."
Why the Others Are Wrong
Option B (Sum) is an aggregate function found in reports and Performance Analytics. It calculates totals across records and has nothing to do with building filter conditions. Filter conditions match records; they do not perform arithmetic.
Memory Tip
Think of a filter condition as a sentence: [Field] [Operator] [Value] = "Priority" "is" "Critical." It reads like natural language. If a word does not fit into that sentence structure, it is not a filter component.
Real-World Example
You want to find all critical, open Vulnerable Items. Your filter condition reads: Field = "State," Operator = "is," Value = "Open" AND Field = "Risk Score," Operator = "greater than," Value = "75." Each condition follows the same three-part structure.
- AConfiguration Compliance
- BTrusted Security Circles
- CThreat Intelligence
- DSecurity Incident Response
Show full explanation
Correct Answer
A - Configuration Compliance
Source
ServiceNow Zurich Documentation - Configuration Compliance
Expert Explanation
Configuration Compliance is the ServiceNow Security Operations application designed to check whether CIs meet defined configuration standards. It works alongside Vulnerability Response to provide a complete security posture view. While VR identifies known vulnerabilities (missing patches, software flaws), Configuration Compliance checks for misconfigurations against benchmarks like CIS, DISA STIGs, or custom internal baselines.
Why the Others Are Wrong
Option B (Trusted Security Circles) enables inter-instance threat data sharing, not configuration checking. Option C (Threat Intelligence) processes threat indicators and IOCs, not configuration baselines. Option D (Security Incident Response) manages security incidents from detection to resolution, not configuration compliance scanning.
Memory Tip
VR asks "Are you vulnerable-" while Configuration Compliance asks "Are you configured correctly-" They are two sides of the same coin. If a question mentions CIS Benchmarks, DISA STIGs, or configuration standards, the answer is always Configuration Compliance.
Real-World Example
Your Qualys scan finds no known CVEs on a Linux server, so VR shows it clean. But Configuration Compliance checks the same server against CIS Benchmarks and discovers SSH root login is enabled, password complexity is weak, and unnecessary services are running. VR and Configuration Compliance together give the full picture of that server's security posture.
Free exam updates. No spam. Unsubscribe anytime.
You scored 0/15 on the 15-question preview.
The full course keeps the same answer breakdown style across all 213 questions.
Your first exam attempt is free. Your second costs $350.
Many students also study:
Compare all 18 practice tests, or use the cert quiz to plan what to study next.
Looking for a different certification-
Browse all 18 practice tests →