Which statement best describes why CVSS scores are useful in a penetration test report?

• A. They provide a standardized numeric risk score to prioritize remediation.
• B. They replace the need for any qualitative assessment.
• C. They measure the cost of remediation.
• D. They assess only the likelihood, not impact.

Answer: (A)

CVSS scores provide a standardized numeric risk score that allows you to quickly compare and prioritize vulnerabilities across an environment. In a penetration test report, this numeric gauge helps stakeholders understand severity at a glance and allocate remediation efforts where they will reduce risk the most. The score comes from factors about how easy it is to exploit (exploitability) and what would be affected if exploited (impact), and it can be tailored to the organization’s context with an environmental aspect. This standardization makes risk communication consistent, aids objective decision-making, and helps you track remediation progress across multiple findings. It doesn’t replace qualitative context or detailed remediation planning, and it doesn’t measure remediation cost; it also isn’t about likelihood alone since impact is part of the calculation.