What is the process of identifying and classifying vulnerabilities?

The process of identifying and classifying vulnerabilities is vulnerability assessment/analysis. This focuses on systematically discovering weaknesses in assets (systems, applications, configurations), verifying their presence, categorizing them by type (such as software flaws or misconfigurations), and assessing their potential impact to help prioritize remediation. It uses tools like vulnerability scanners, manual testing, and scoring schemes (for example, severity ratings) to organize and rank vulnerabilities for action. This differs from risk identification, which is broader and looks at potential threats, impacts, and other risk factors, not just weaknesses itself. It also isn’t about a threat event, which refers to an actual incident or the occurrence of one, nor about scheduling risk, which concerns project timelines and resources.