Through scanning, enumeration, or manual analysis, you discover a potential weakness. Perhaps Nmap reveals that a server runs Apache Struts 2.5.16, and you know CVE-2018-11776 affects that version.