Trust Is Assumed. Assurance Is Earned.
Domain Intent
Domain 6 is not about tools.
It is about evidence.
Security architecture (Domain 3) designs controls.
Security operations (Domain 7) runs them.
Domain 6 proves they actually work.
Without assessment and testing, security becomes belief — not validation.
The Core Philosophy
If you do not test your defenses, attackers will.
Security controls fail for three reasons:
- They were poorly designed.
- They were poorly implemented.
- They drifted over time.
Domain 6 exists to detect all three — before adversaries do.
1.Testing Is a Governance Activity
Security testing must be:
- Risk-driven
- Independent where possible
- Properly authorized
- Documented and repeatable
- Linked to remediation tracking
Testing is not an annual ritual.
It is a continuous assurance cycle.
2. Understanding Assessment vs Audit vs Testing
Security Assessment
Broad evaluation of posture.
Flexible. Diagnostic. Advisory.
Security Audit
Formal, independent, compliance-focused.
Structured against a standard.
Vulnerability Assessment
Identifies weaknesses.
Does not exploit.
Penetration Testing
Simulates adversary behavior.
Attempts exploitation to validate impact.
Exam rule: Scanning ≠ Exploitation.
3.The Security Validation Lifecycle
Every mature program follows:
- Identify vulnerabilities
- Analyze risk context
- Remediate or mitigate
- Verify effectiveness
- Report and improve
This cycle never stops.
Security without re-testing is decay.
4.Vulnerability Management — Beyond Scanning
Automated scanning is table stakes.
Mature programs integrate:
- Credentialed scans
- Threat intelligence context
- Business impact prioritization
- Patch verification
CVSS Reality
Base score = technical severity
Environmental score = business relevance
The exam expects you to know: Technical severity is not business risk.
5.Penetration Testing — Simulated Adversary
Pen testing validates exploitability.
Phases:
- Authorization & scope definition
- Reconnaissance
- Enumeration
- Exploitation
- Post-exploitation
- Reporting
Critical Exam Rule:
Written authorization always comes first.
No exceptions.
6.Red Teaming — Strategic Simulation
Red teams simulate real-world adversaries:
- Multi-vector attacks
- Social engineering
- Physical intrusion
- Persistence techniques
Red teaming tests:
- Detection capability
- Response speed
- Cross-team coordination
It evaluates resilience — not just vulnerabilities.
7.Log Review & Continuous Monitoring
Testing is not only offensive.
It also includes validation of:
- Logging completeness
- Alert accuracy
- Correlation effectiveness
- Incident response readiness
SIEM aggregates and correlates.
Logs alone do not equal monitoring.
The exam favors: Continuous monitoring > annual review.
8.Software Security Testing
Testing must shift left into the SDLC.
Static Analysis (SAST)
Code-level flaws.
Dynamic Analysis (DAST)
Runtime vulnerabilities.
Interactive (IAST)
Hybrid validation.
Fuzzing
Discovers unknown vulnerabilities.
Finding flaws early reduces cost and risk.
Exam principle: Earlier detection is always better.
9.Security Control Testing
Controls must be evaluated across:
- Preventive
- Detective
- Corrective
- Compensating
Testing methods include:
- Interview
- Observe
- Examine
- Technically validate
The exam often tests: Which approach best verifies effectiveness?
10.Reporting & Risk Treatment
Findings must translate into:
- Executive summary
- Risk ratings
- Business impact
- Clear remediation path
Risk handling options:
- Remediate
- Mitigate
- Accept (management decision)
- Transfer
Security teams recommend.
Management decides.
Domain 6 Maturity Model
Level 1 — Reactive scanning
Level 2 — Scheduled assessments
Level 3 — Integrated vulnerability management
Level 4 — Continuous monitoring & pen testing
Level 5 — Metrics-driven adaptive validation
At higher maturity: Testing becomes intelligence.
High-Yield Exam Concepts
- Audit = formal & independent
- Assessment = broader
- Scan identifies, pen test exploits
- Authorization precedes testing
- CVSS base is environment-neutral
- Continuous monitoring is preferred
- Gray box simulates partial compromise
- Logs must be reviewed and acted upon
Common Exam Traps
- Exploiting during vulnerability assessment
- Testing without authorization
- Confusing compliance with assurance
- Ignoring business impact in prioritization
- Forgetting re-testing after remediation
Executive Lens
Domain 6 answers:
Are our controls working?
How do we know?
Can we prove it?
Security without testing is assumption.
Security with testing is assurance.
Final Domain Insight
Attackers continuously probe.
So must you.
Domain 6 transforms security from belief to evidence.
Assurance is not declared.
It is demonstrated.
