Skip to content
MyCyberSecurityPath

Vulnerability Analysis — Scanning and Assessment for Beginners

What Is Vulnerability Analysis and Why Does It Matter?

Section titled “What Is Vulnerability Analysis and Why Does It Matter?”

Vulnerability analysis is the systematic process of identifying, classifying, and prioritising security weaknesses in systems, applications, and networks, as defined by the NIST National Vulnerability Database (NVD) and scored using the Common Vulnerability Scoring System (CVSS) maintained by FIRST.org.

Vulnerability scanning is the process of systematically finding security weaknesses in systems, applications, and networks before attackers exploit them. It is one of the most practical, in-demand skills in cybersecurity, and it is where the technical phases of ethical hacking — footprinting and network scanning — turn into actionable security findings.

Think of it this way: footprinting tells you what exists, network scanning tells you what is running, and vulnerability analysis tells you what is broken or at risk. Every security team in every organisation needs people who can find, assess, and prioritise vulnerabilities. It is a skill that applies to SOC work, penetration testing, compliance auditing, and security engineering.

Understanding vulnerability analysis is essential because:

  • It is the bridge between scanning and exploitation. In ethical hacking, you do not exploit blindly. You identify specific, known vulnerabilities and verify them.
  • Vulnerability management is a daily security function. Most organisations run regular vulnerability scans and need analysts who can interpret the results and prioritise remediation.
  • Certification exams cover it extensively. CompTIA Security+ (SY0-701), CEH, CySA+, and PenTest+ all include vulnerability assessment concepts, CVSS scoring, and scanning tool knowledge.
  • Entry-level roles require it. SOC analysts, junior penetration testers, and security engineers all interact with vulnerability data from day one.

This page covers the vulnerability management lifecycle, the CVE and CVSS systems, scanning tools, and how to read and prioritise scan results — all explained for beginners.

The first time I ran a vulnerability scan in my home lab and saw the results, I was genuinely shocked. A single unpatched virtual machine had dozens of known vulnerabilities, some rated critical. The scanner did not just say “there are problems” — it told me exactly what was wrong, gave me CVE numbers to research, and even suggested fixes. That was the moment I understood why organisations spend millions on vulnerability management. The information is there if you know how to look for it, and the consequences of ignoring it are real.

Ethical and legal warning: Only run vulnerability scans against systems you own or have explicit written authorisation to test. Vulnerability scanning generates significant network traffic and may trigger alerts, disrupt services, or violate computer crime laws if conducted without permission. In your home lab, scan freely. On any other system, get written approval first.

What Do Real-World Vulnerability Attacks Look Like?

Section titled “What Do Real-World Vulnerability Attacks Look Like?”

Real-world vulnerability exploitation is responsible for the majority of data breaches, with the CISA Known Exploited Vulnerabilities (KEV) Catalog tracking over 1,100 actively exploited vulnerabilities that organisations must prioritise for remediation.

Vulnerabilities are not theoretical. They are exploited in real attacks every day.

Vulnerabilities are not theoretical. They are exploited in real attacks every day.

VulnerabilityReal-world impactHow it was found
Log4Shell (CVE-2021-44228)Critical RCE in Log4j — affected millions of Java applications worldwideReported by Alibaba Cloud security team; CVSS 10.0
EternalBlue (CVE-2017-0144)Windows SMB vulnerability exploited by WannaCry ransomware — >200,000 systems in 150 countriesDiscovered by NSA, leaked by Shadow Brokers; exploited before many organisations patched
MOVEit Transfer (CVE-2023-34362)SQL injection in file transfer tool — >2,500 organisations breached, 60+ million records exposedFound by Cl0p ransomware group; mass exploitation before patches were widely applied
Heartbleed (CVE-2014-0160)OpenSSL buffer over-read leaked sensitive data from server memoryIndependently discovered by Google and Codenomicon researchers
ProxyLogon (CVE-2021-26855)Microsoft Exchange server compromise — used by nation-state actors for espionageReported by DEVCORE research team; immediately exploited in the wild

These examples share a pattern: known vulnerabilities with available patches were exploited because organisations did not find and fix them quickly enough. That is exactly the problem vulnerability management solves.

What Are the Key Concepts Behind Vulnerability Analysis?

Section titled “What Are the Key Concepts Behind Vulnerability Analysis?”

The CVE (Common Vulnerabilities and Exposures) system, maintained by MITRE Corporation, provides the global standard for identifying known vulnerabilities, while the Common Vulnerability Scoring System (CVSS v4.0) published by FIRST.org quantifies their severity on a 0.0–10.0 scale.

Before diving into tools and processes, you need to understand the systems that classify and score vulnerabilities.

What Is a Vulnerability?

Section titled “What Is a Vulnerability?”

A vulnerability is a weakness in a system, application, or process that could be exploited to compromise security. Vulnerabilities come in several forms:

  • Software bugs — coding errors that allow unintended behaviour (buffer overflows, SQL injection, cross-site scripting)
  • Misconfigurations — default passwords, unnecessary services running, overly permissive access controls
  • Missing patches — known vulnerabilities that have fixes available but not applied
  • Weak credentials — easily guessable passwords, reused passwords, lack of multi-factor authentication
  • Design flaws — architectural weaknesses that cannot be fixed with a simple patch (insecure protocols, lack of encryption)

The analogy: if your house has a broken lock on the back door, that is a vulnerability. The lock manufacturer may have issued a replacement (a patch), but until you install it, the weakness remains. Vulnerability analysis is the process of checking every lock, window, and entry point in your house — systematically, regularly, and thoroughly.

The CVE System

Section titled “The CVE System”

CVE (Common Vulnerabilities and Exposures) is the global standard for identifying and cataloguing known vulnerabilities. Each vulnerability gets a unique identifier in the format CVE-YEAR-NUMBER (for example, CVE-2021-44228 for Log4Shell).

The CVE system is maintained by MITRE Corporation and funded by the US Department of Homeland Security. When a new vulnerability is discovered, it is assigned a CVE ID, which becomes the universal reference that security tools, advisories, and databases all use to identify the same issue.

  • CVE IDs provide a common language. When someone says “CVE-2021-44228,” every security professional knows exactly which vulnerability is being discussed.
  • NVD (National Vulnerability Database) maintained by NIST enriches CVE entries with CVSS scores, affected products, references, and remediation guidance.
  • Vendor advisories reference CVE IDs so you can match patches to specific vulnerabilities.

CVSS Scoring

Section titled “CVSS Scoring”

CVSS (Common Vulnerability Scoring System) assigns a severity score from 0.0 to 10.0 to each vulnerability. It helps you prioritise which vulnerabilities to fix first.

CVSS ScoreSeverityTypical response
9.0 - 10.0CriticalPatch immediately — these are actively exploitable and high impact
7.0 - 8.9HighPatch within days — significant risk if exposed
4.0 - 6.9MediumPatch within weeks — moderate risk, schedule remediation
0.1 - 3.9LowPatch during normal maintenance cycles

CVSS scores consider three groups of metrics:

  • Base metrics — the intrinsic characteristics of the vulnerability (attack vector, complexity, privileges required, user interaction, scope, impact on confidentiality/integrity/availability)
  • Temporal metrics — factors that change over time (exploit code availability, remediation level, report confidence)
  • Environmental metrics — factors specific to your organisation (how important the affected system is to your business)

Certification note: CompTIA Security+ SY0-701 and CySA+ CS0-003 both test your understanding of CVE identifiers and CVSS scoring. You should be able to explain what a CVSS score means and how it influences remediation priority.

Step-by-Step: Vulnerability Management Lifecycle

Section titled “Step-by-Step: Vulnerability Management Lifecycle”

Vulnerability analysis is not a one-time activity. It follows a continuous lifecycle that keeps your organisation’s security posture current.

  1. Discover. Identify all assets in the environment — servers, workstations, network devices, applications, cloud resources. You cannot protect what you do not know about. This builds on the footprinting and scanning phases.

  2. Assess. Run vulnerability scans against discovered assets. Scanners compare running services and software versions against databases of known vulnerabilities (CVEs) and check for misconfigurations.

  3. Prioritise. Not every vulnerability is equally urgent. Use CVSS scores, asset criticality, exploit availability, and business context to rank findings. A critical vulnerability on an internet-facing production server is more urgent than the same vulnerability on an internal development machine.

  4. Remediate. Fix the vulnerabilities. This may involve applying patches, changing configurations, upgrading software, adding compensating controls, or accepting the risk (with documented justification). Remediation is often the hardest step because it requires coordination with system owners, change management processes, and testing.

  5. Verify. Rescan after remediation to confirm the vulnerabilities are actually fixed. Patches that fail to install, configurations that revert, and incomplete fixes are common. Verification closes the loop.

Vulnerability Management Lifecycle

Section titled “Vulnerability Management Lifecycle”

Visual Explanation

Section titled “Visual Explanation”

Vulnerability Management Lifecycle

A continuous cycle — not a one-time activity. Each phase feeds the next.

Discover
Know your assets
Asset inventory
Network scanning
Cloud and shadow IT
Assess
Find weaknesses
Vulnerability scanning
Configuration audits
Web app testing
Prioritise
Rank by risk
CVSS scores
Asset criticality
Exploit availability
Remediate
Fix the issues
Apply patches
Change configs
Compensating controls
Verify
Confirm the fix
Rescan
Validate patches
Close the loop
Idle

Vulnerability Assessment vs Penetration Testing

Section titled “Vulnerability Assessment vs Penetration Testing”

These two terms are often confused, but they serve different purposes. Understanding the distinction is important for interviews, certification exams, and knowing what role you are filling.

Vulnerability Assessment vs Penetration Testing

Vulnerability Assessment
  • Identifies weaknessesFinds and catalogues vulnerabilities across the environment
  • Broad coverageScans many systems to build a comprehensive picture
  • Automated toolsNessus, OpenVAS, Qualys — scan and report at scale
  • Ongoing processRuns continuously or on a regular schedule
VS
Penetration Testing
  • Exploits weaknessesAttempts to actually compromise systems to prove impact
  • Targeted depthFocuses on specific systems or attack paths
  • Manual expertiseSkilled testers make creative decisions automated tools cannot
  • Point-in-timeConducted periodically — quarterly or annually
Verdict: Vulnerability assessment tells you what is broken. Penetration testing tells you what an attacker can actually do with those broken things. Start with assessment skills — they are more commonly needed in entry-level roles.
Use case
SOC analysts and junior security engineers primarily work with vulnerability assessment data. Penetration testing roles typically require 2-3 years of security experience.

What Does Vulnerability Scanning Look Like in Practice?

Section titled “What Does Vulnerability Scanning Look Like in Practice?”

According to the NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, vulnerability scanning should combine automated tools with manual verification to ensure comprehensive coverage and reduce false positives.

These tools and commands are what you will use in real vulnerability analysis work. Practise them in your home lab.

Nmap NSE Vulnerability Scripts

Section titled “Nmap NSE Vulnerability Scripts”

Nmap includes a powerful scripting engine (NSE) with scripts specifically designed for vulnerability detection.

Terminal window
# Run default vulnerability scripts against a target
sudo nmap --script vuln 192.168.1.100


# Check for a specific vulnerability (e.g., SMB vulnerabilities)
sudo nmap --script smb-vuln-ms17-010 -p 445 192.168.1.100


# Run all SMB vulnerability checks
sudo nmap --script "smb-vuln-*" -p 445 192.168.1.100


# HTTP vulnerability checks on a web server
sudo nmap --script "http-vuln-*" -p 80,443 192.168.1.100


# SSL/TLS vulnerability checks
sudo nmap --script ssl-heartbleed,ssl-poodle -p 443 192.168.1.100


# Run all scripts in the "safe" and "vuln" categories
sudo nmap --script "safe and vuln" 192.168.1.100

Searching the CVE Database

Section titled “Searching the CVE Database”
Terminal window
# Search NVD for a specific CVE (using curl)
curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-44228" | python3 -m json.tool | head -50


# Search for vulnerabilities in a specific product
# Visit: https://nvd.nist.gov/vuln/search
# Or use searchsploit (part of Exploit-DB)
searchsploit apache 2.4
searchsploit openssh 7.2


# Check if a CVE has a public exploit
searchsploit --cve 2021-44228

Nikto — Web Server Vulnerability Scanner

Section titled “Nikto — Web Server Vulnerability Scanner”
Terminal window
# Basic web server scan
nikto -h http://192.168.1.100


# Scan a specific port
nikto -h http://192.168.1.100 -p 8080


# Scan with SSL
nikto -h https://192.168.1.100


# Save output to file
nikto -h http://192.168.1.100 -o results.html -Format html

OpenVAS (GVM) — Full Vulnerability Scanner

Section titled “OpenVAS (GVM) — Full Vulnerability Scanner”
Terminal window
# OpenVAS is a full vulnerability management platform
# Installation on Kali Linux:
sudo apt install gvm
sudo gvm-setup          # Initial setup (downloads vulnerability feeds)
sudo gvm-start          # Start the service


# Access the web interface at https://127.0.0.1:9392
# Create a target, configure a scan, and review results

Checking for Specific Vulnerabilities Manually

Section titled “Checking for Specific Vulnerabilities Manually”
Terminal window
# Check SSL/TLS configuration
openssl s_client -connect example.com:443 -tls1 2>/dev/null | head -5
# If this succeeds, TLS 1.0 is enabled (a vulnerability)


# Check for anonymous FTP
ftp 192.168.1.100
# Username: anonymous / Password: (blank or email)


# Check HTTP headers for security misconfigurations
curl -I https://example.com
# Look for missing: X-Frame-Options, Content-Security-Policy,
# Strict-Transport-Security, X-Content-Type-Options

What Are the Limitations of Vulnerability Scanning?

Section titled “What Are the Limitations of Vulnerability Scanning?”

According to NIST NVD data, over 25,000 new CVEs are published annually, yet automated scanners can only detect vulnerabilities present in their signature databases — meaning false negatives, zero-day gaps, and contextual blind spots remain inherent limitations.

Vulnerability scanning is essential but not perfect. Understanding its limitations helps you work effectively.

FactorLimitationHow to handle it
False positivesScanners report vulnerabilities that do not actually exist or are not exploitable in contextVerify critical findings manually before escalating; understand the difference between theoretical and exploitable
False negativesScanners miss vulnerabilities — especially logic flaws, zero-days, and complex misconfigurationsCombine automated scanning with manual review and penetration testing
Scan impactAuthenticated scans require credentials; aggressive scans can disrupt servicesSchedule scans during maintenance windows; use read-only scan accounts
Patch fatigueOrganisations receive hundreds of findings monthly; teams cannot fix everything at oncePrioritise ruthlessly using CVSS + asset criticality + exploit availability
CVSS limitationsCVSS base scores do not account for your specific environment or compensating controlsUse environmental CVSS metrics and business context to adjust priority
Scanner lagNew CVEs take time to appear in scanner databases; zero-days are not in databases at allSubscribe to vendor advisories and CISA alerts for early warning

The biggest failure mode in vulnerability management is not technical — it is organisational. Many organisations scan regularly but fail to remediate. A vulnerability scan that produces findings nobody acts on is security theatre. The value is in the remediation, not the report.

What Interview Questions Should You Expect About Vulnerability Analysis?

Section titled “What Interview Questions Should You Expect About Vulnerability Analysis?”

Vulnerability analysis is one of the most frequently tested topics in entry-level cybersecurity interviews because it is immediately applicable to SOC analyst, security engineer, and compliance roles — making it a common focus in CompTIA Security+ SY0-701 and CySA+ CS0-003 exam objectives.

Vulnerability analysis questions are standard in security interviews because the skill is immediately applicable to almost every security role.

Q1: What is the difference between a vulnerability assessment and a penetration test?

Strong answer: “A vulnerability assessment identifies and catalogues security weaknesses across the environment using automated scanning tools. It is broad in scope and runs regularly. A penetration test goes further by attempting to exploit those vulnerabilities to demonstrate real-world impact. It is more targeted, requires manual expertise, and is typically conducted periodically. Assessment tells you what is broken; pen testing proves what an attacker can do with it.”

Q2: How would you prioritise vulnerabilities from a scan that found 500 findings?

Strong answer: “I would start by filtering out informational findings and false positives. Then I would prioritise by CVSS score, focusing on critical and high findings first. But CVSS alone is not enough — I would also consider whether the vulnerable system is internet-facing or internal, how critical it is to the business, whether a public exploit exists, and whether compensating controls are in place. A critical vulnerability on an internet-facing production server with a public exploit gets immediate attention.”

Q3: What is a CVE and how is it used?

Strong answer: “CVE stands for Common Vulnerabilities and Exposures. It is a global identification system that assigns a unique ID to each known vulnerability, such as CVE-2021-44228 for Log4Shell. CVE IDs provide a common language so that security tools, advisories, and teams can all reference the same vulnerability unambiguously. The National Vulnerability Database enriches CVE entries with CVSS scores and remediation guidance.”

Q4: What would you do if a critical vulnerability is found but the system owner says they cannot patch right now?

Strong answer: “I would document the risk and work with them on compensating controls — network segmentation to limit exposure, firewall rules to restrict access, increased monitoring for exploitation attempts, or disabling the vulnerable feature if possible. I would also escalate the risk to management with a clear explanation of the potential impact. The goal is to reduce risk even when an immediate patch is not possible.”

How Is Vulnerability Analysis Used in Real Security Operations?

Section titled “How Is Vulnerability Analysis Used in Real Security Operations?”

The ASD Essential Eight and CISA Binding Operational Directive 22-01 both mandate timely remediation of known exploited vulnerabilities, making vulnerability management a daily operational requirement in government and enterprise security teams worldwide.

Vulnerability management is one of the most mature and structured processes in most security operations.

Day-One SOC and Security Tasks

Section titled “Day-One SOC and Security Tasks”

As a new security analyst, vulnerability work is likely to be part of your responsibilities from the start:

  • Reviewing scan results. Weekly or monthly vulnerability scans produce reports that need analyst review. You verify findings, remove false positives, and ensure critical items are tracked.
  • Tracking remediation. Once vulnerabilities are assigned to system owners for patching, you track progress and follow up when deadlines are missed. Vulnerability metrics (time to remediate, open critical findings, scan coverage) are standard KPIs.
  • Exception management. Not every vulnerability can be fixed immediately. You document risk acceptances, compensating controls, and remediation timelines for findings that cannot be patched right away.

Australian Context

Section titled “Australian Context”

The ASD Essential Eight includes two controls directly related to vulnerability management:

  • Patch applications — Apply patches for known vulnerabilities in applications within 48 hours when exploits exist, or within two weeks otherwise.
  • Patch operating systems — Apply patches for known vulnerabilities in operating systems within the same timeframes.

Australian government agencies are assessed against Essential Eight maturity levels, and vulnerability management is a core component. The ACSC publishes critical vulnerability alerts at cyber.gov.au, often within hours of disclosure, which Australian organisations are expected to act on promptly.

For career changers in Australia, demonstrating familiarity with Essential Eight patching requirements and the ability to use vulnerability scanning tools gives you a practical skill set that employers — particularly in government, healthcare, and managed security services — actively look for.

OWASP Top 10

Section titled “OWASP Top 10”

For web application vulnerability analysis, the OWASP Top 10 is the industry standard reference. The current list includes:

  1. Broken Access Control
  2. Cryptographic Failures
  3. Injection (SQL injection, XSS, command injection)
  4. Insecure Design
  5. Security Misconfiguration
  6. Vulnerable and Outdated Components
  7. Identification and Authentication Failures
  8. Software and Data Integrity Failures
  9. Security Logging and Monitoring Failures
  10. Server-Side Request Forgery (SSRF)

Web application scanners like Nikto, OWASP ZAP, and Burp Suite test for these categories. Understanding the OWASP Top 10 is expected knowledge for any security role that involves web applications.

Summary and Key Takeaways

Section titled “Summary and Key Takeaways”

Vulnerability analysis is where cybersecurity moves from discovery to defence — finding the specific weaknesses that put organisations at risk and driving them toward resolution.

  • Vulnerability analysis finds what is broken. It builds on footprinting (what exists) and scanning (what is running) to identify specific security weaknesses.
  • The CVE system provides universal identification for known vulnerabilities. CVSS scores (0.0-10.0) help prioritise remediation.
  • The lifecycle is continuous: discover, assess, prioritise, remediate, verify. Organisations that skip steps accumulate risk.
  • Automated scanners are essential but imperfect. False positives need manual verification. False negatives mean scanners should be supplemented with manual testing.
  • Prioritisation is critical. Not every vulnerability is equally urgent. CVSS score + asset criticality + exploit availability + business context determines what to fix first.
  • Remediation is where the value lives. A scan report that nobody acts on is wasted effort. The goal is to reduce risk, not produce documentation.
  • This phase feeds into penetration testing. Identified vulnerabilities become the targets for the pen testing phase.

Individual results vary. Career timelines, salary outcomes, and job availability depend on your location, experience, market conditions, and effort. The information on this page is educational, not a guarantee of employment outcomes.

Section titled “Related”

Frequently Asked Questions

What is vulnerability scanning?

Vulnerability scanning is the automated process of probing systems, applications, and networks to identify known security weaknesses. Scanners compare running software and configurations against databases of known vulnerabilities and report findings with severity ratings and remediation guidance.

What is a CVE?

CVE stands for Common Vulnerabilities and Exposures. It is a globally recognised identification system that assigns a unique ID to each known vulnerability, such as CVE-2021-44228. CVE IDs provide a common reference so that all security tools, advisories, and professionals can identify the same vulnerability unambiguously.

What is a CVSS score?

CVSS is the Common Vulnerability Scoring System. It assigns a severity score from 0.0 to 10.0 to each vulnerability based on factors like attack vector, complexity, required privileges, and impact on confidentiality, integrity, and availability. Scores of 9.0 to 10.0 are critical, 7.0 to 8.9 are high, 4.0 to 6.9 are medium, and 0.1 to 3.9 are low.

What is the difference between a vulnerability assessment and a penetration test?

A vulnerability assessment identifies and catalogues security weaknesses across the environment using automated tools. A penetration test attempts to exploit those vulnerabilities to demonstrate real-world impact. Assessment is broad and ongoing; penetration testing is targeted and periodic. Both are needed for comprehensive security.

What tools are used for vulnerability scanning?

Common vulnerability scanning tools include Nessus and Qualys for enterprise scanning, OpenVAS for open-source scanning, Nmap NSE scripts for targeted vulnerability checks, Nikto for web server scanning, and OWASP ZAP for web application testing.

What is the OWASP Top 10?

The OWASP Top 10 is a regularly updated list of the most critical web application security risks published by the Open Worldwide Application Security Project. It includes categories like broken access control, injection, cryptographic failures, and security misconfiguration. It is the industry standard reference for web application security.

How often should vulnerability scans be run?

Most organisations run vulnerability scans at least monthly, with critical systems scanned weekly. Continuous scanning is becoming the norm for internet-facing assets. After any significant change — new system deployment, major patch, or architecture change — an additional scan should be run to verify the new state.

What is a false positive in vulnerability scanning?

A false positive is when a scanner reports a vulnerability that does not actually exist or is not exploitable in the specific context. Common causes include version detection errors, compensating controls the scanner cannot see, and misidentified services. Critical findings should always be verified manually before escalating.

What is the National Vulnerability Database?

The NVD is a US government repository maintained by NIST that enriches CVE entries with additional data including CVSS scores, affected product lists, references, and remediation guidance. It is the primary reference for vulnerability severity and impact information used by scanning tools and security teams worldwide.

Can I practise vulnerability scanning in a home lab?

Yes. Set up intentionally vulnerable virtual machines like Metasploitable 2, DVWA, or VulnHub images. Install OpenVAS or use Nmap NSE scripts to scan them. Platforms like TryHackMe and Hack The Box also provide legal targets. Practising vulnerability scanning and report interpretation is one of the most valuable home lab exercises for career changers.

Related sections

Network Scanning

Discover open ports and running services — the prerequisite step before vulnerability analysis.

Explore Penetration Testing Basics

The next phase — learn how identified vulnerabilities are safely exploited to prove impact.

Explore Home Lab Setup

Build a safe environment with intentionally vulnerable machines for practising vulnerability scanning.

Explore

More resources

National Vulnerability Database (NVD)

The US government's comprehensive repository of vulnerability data with CVSS scores and remediation guidance.

Visit OWASP Top 10

The most critical web application security risks — the industry standard reference for web vulnerability categories.

Visit CISA Known Exploited Vulnerabilities Catalog

CISA's authoritative list of vulnerabilities known to be actively exploited in the wild — the highest priority for remediation.

Visit

Technical content verified in March 2026 against NIST NVD, CVSS v3.1 specification, OWASP Top 10 (2021 edition), CompTIA Security+ SY0-701 exam objectives, and CEH v12 syllabus. Tool commands verified against current versions.