These vulnerabilities can be identified based on their risk and then confirmed, allowing the analyst to prioritize their efforts on the vulnerability they are trying to confirm. Identifying these false positives requires effort as you have to actually exploit the vulnerability and check whether it is feasible. In order to do this, an analyst must decide to what extent they are willing to expend effort in order to fix the vulnerability. For example, if the vulnerability is that port 1406 with a SQL service running is open to everyone in the network, it is up to the analyst to decide whether to just check for the open port or try logging in to the SQL service using a default service account or a weak password.