Penetration TestingRemediation

Remediation

After receiving the penetration test report, there are several steps you can take, such as remediation, accepting the risk, or rejecting the findings.

Here’s a brief overview of actions you can take once the penetration test report is ready.

Analyze

When deciding to address a vulnerability, the first step is to allocate sufficient time to analyze and interpret the report. Your employees responsible for the penetration test should consider the following questions:

  • Does this vulnerability meet the risk threshold we’ve agreed upon internally?
  • What’s the actual (business) impact of a possible vulnerability exploitation, considering factors that may not be known to the penetration tester?
  • Who will be responsible for remediating each finding?

Remediate

Before taking any further actions, you should verify that the vulnerability is reproducible. This not only enhances your understanding of the issue but also helps identify the systems at risk and different intrusion techniques.

To initiate the remediation phase, you should comprehend the scope of what needs to be fixed. While technical fixes may be necessary, there could also be underlying causes, such as:

  • Management practices that require improvements;
  • Alternative approaches;
  • Ineffective or overly permissive security policies;
  • Communication issues within or between departments.

Nevertheless, in most cases, a technical fix must be implemented. We advise remediating the findings as soon as possible, as the chances of the penetration tester still being intimately familiar with the vulnerability are higher, and the probability of an exploitation is lower.

Retest

As part of our commitment to protecting your organization, we offer free retesting for up to a year after delivering the penetration test, allowing ample time to address vulnerabilities and strengthen your security posture. Remember to align remediation efforts with your internal policies, especially to meet compliance standards like SOC 2, PCI DSS, or ISO 27001.

Accepting the risk

Marking vulnerabilities as Accepted Risk on our platform is entirely at your discretion. We recognize that each client may have a higher or lower internal risk threshold for remediation, and we respect your decision if the analyzed impact is deemed too low to warrant action.

However, we advise against accepting vulnerabilities with a Medium or higher risk. As these vulnerabilities pose a growing business risk, they are not a matter of if but when they will impact your organization. Therefore, ensure that you allocate sufficient time and effort to remediate these risks effectively.

Our recommendation is to always provide a clear reason for accepting a risk. This rationale will be included in the penetration test report, allowing you to offer additional context to internal and external stakeholders regarding the acceptability of the risk.

Penetration Test ReportPCI DSS