A false positive can be issued if evidence shows the vulnerability does not exist, or mitigated by compensating control.

A false positive in vulnerability testing means the report shows a vulnerability that, when you review the evidence, doesn’t actually exist or isn’t exploitable due to compensating controls. If you have solid evidence that the vulnerability isn’t present or that a compensating control blocks exploitation, the finding should be treated as a false positive rather than a real weakness. This is why the statement is true: not every flagged issue represents a genuine risk; some are resolved by additional controls or verified as non-existent after deeper assessment. For example, a scan might flag a vulnerability that a parameterized query or a functioning WAF actually mitigates, making exploitation impractical.