Priya is performing Verification because the team has already completed the remediation work (patches and fixes), and is now conducting follow-up scans and attack-surface review to confirm that the applied changes actually resolved the identified vulnerabilities. In a standard vulnerability-management lifecycle, remediation is the phase where vulnerabilities are addressed through actions such as patching, configuration hardening, compensating controls, or removing vulnerable services. Verification comes immediately after remediation to ensure fixes are effective, nothing was missed, and no new issues were introduced.
The scenario’s sequencing is the strongest clue: “already applied patches and fixes” means remediation is done; “run follow-up scans…to confirm” indicates validation of remediation outcomes; and “only after this step will she prepare a compliance report” reflects that organizations typically require evidence that remediation is effective before reporting status to leadership or auditors. Verification often includes rescanning the affected assets, checking configuration baselines, validating that vulnerable versions are no longer present, ensuring services are running as intended, and confirming that the original finding cannot be reproduced.
Why the other options do not match:
Remediation (D) would be the patching/fixing activity itself, which has already occurred.
Risk Assessment (C) is the prioritization and impact evaluation stage, typically performed before remediation to decide what to fix first and how urgently.
Monitoring (A) is ongoing observation and continuous assessment (tracking exposure, trends, new vulnerabilities), but Priya’s specific task is a post-fix confirmation step, which is verification.
Therefore, the correct phase is B. Verification.
