Loading page
These three terms are the vocabulary of risk management, and the exam expects you to tell them apart precisely. A threat exploits a vulnerability, and the resulting exposure is risk.
Last updated June 2026
| Aspect | Vulnerability | Threat | Risk |
|---|---|---|---|
| Definition | A weakness that could be exploited | Something or someone that could exploit a weakness | The likelihood and impact of a threat exploiting a vulnerability |
| Nature | A condition (state of the asset) | An actor or event (the danger) | A calculation (likelihood times impact) |
| Example | Unpatched server, weak password | A hacker, malware, a flood, a careless user | The chance and cost of data loss if the flaw is exploited |
| Can you remove it? | Reduce it by patching and hardening | Usually cannot remove the threat itself | Manage it: avoid, transfer, mitigate, or accept |
| Question | What is weak? | What could go wrong? | How likely, and how bad? |
A threat is the danger, a vulnerability is the weakness it targets, and risk is the likelihood and impact if the two meet. Roughly, risk equals threat times vulnerability times impact. You cannot stop threats from existing, but you can reduce vulnerabilities and manage risk.
Reading the difference is a start. SecPlus Mastery drills it with over 1,000 practice questions, timed mock exams, and spaced review across all five SY0-701 domains, so it sticks for exam day.
Written to the CompTIA Security+ SY0-701 objectives. CompTIA and Security+ are trademarks of CompTIA, used here for identification only.