Skip to content

Weakness Category Definitions

This page explains the four Category labels that the NodeZero Portal applies to weaknesses discovered in pentests, with details about the issues that trigger each category.

Security Misconfiguration

These are configuration choices that make a system easier to abuse, even if no specific CVE (Common Vulnerabilities and Exposures) ID is involved. They include lax or disabled security settings on the OS, applications, network gear, or security tools. Examples are:

  • EDR (Endpoint Detection and Response) not blocking what it should.
  • SMB (Server Message Block) signing disabled.
  • Overly permissive firewall rules.
  • Misconfigured Kubernetes Cluster.
  • Cloud services left overly exposed.

These are settings that technically “work,” but create exploitable behavior or unnecessary attack surface.

Security Controls

These are missing controls – situations where a control that should exist is instead absent, disabled, or no longer functioning – allowing attacks that a reasonable control would have stopped. Examples are:

  • Hosts or segments with no EDR deployed.
  • Lack of MFA (multi-factor authentication) on high-value accounts.
  • Lack of segmentation between sensitive zones.
  • Missing hardening/baseline controls.
  • Security tooling removed since the last test.

NodeZero often surfaces these when it’s able to perform post-exploitation techniques – like credential dumping or lateral movement – that a properly deployed control would have blocked.

(Weak) Credentials

These are credentials that are easily guessed, cracked, reused, exposed, or otherwise unsafe from an attacker’s perspective. Examples are:

  • Unmodified default passwords.
  • Simple/guessable passwords.
  • Cracked hashes.
  • Credential reuse across local and domain accounts.
  • Credentials harvested via poisoning LLMNR (Link-Local Multicast Name Resolution) or NBT-NS (NetBIOS Name Service).
  • Passwords failing AD (Active Directory) policy or AD Password Audit checks.

This category includes both external and internal identity issues where attackers can “”og in instead of hack in.”

Vulnerability

These are software or platform flaws (typically CVEs) where the code itself is vulnerable, and where NodeZero can actually exploit them in your environment. Examples are:

  • OS or application CVEs.
  • CISA KEVs (Known Exploited Vulnerabilities).
  • Zero-day or N-day vulnerabilities that NodeZero is able to weaponize into real attack paths (via remote code execution, privilege escalation, etc.).

In the NetZero UI, “Vulnerability” is distinct from the other categories. It identifies underlying code defects, which NodeZero cares about only when it can use them in a real attack chain. This distinction is between flaws that are exploitable versus just “present.”

Categories to Impacts

All four buckets roll up under “weaknesses” in NodeZero, meaning actions an attacker can actually use to reach an objective or impact. They are scored and prioritized based on the downstream impacts they enable – such as domain compromise, data exposure, or ransomware – not just their label or a raw CVSS (Common Vulnerability Scoring System) score.