A penetration tester has found several vulnerabilities in a scan that appear inconsistent with prior tests. What should be done to validate the results?

Validating vulnerability findings requires manual verification to confirm whether the issue actually exists on the target and is exploitable. Automated scanners often produce false positives or miss context due to timing, network differences, authentication states, or specific configurations. By performing targeted, hands-on checks on the live system, you establish whether the vulnerability is real, understand its impact, and gather credible evidence (such as command outputs, banners, logs, and configuration details). This may involve rechecking service versions, patch levels, and settings, and conducting safe, controlled tests with alternate methods or tools to corroborate the finding. This careful verification reduces false positives and guides appropriate remediation.