top of page


If you are working with a cybersecurity company or an internal IT team to perform penetration testing, you’ll need to know what to do after your pentest is complete. A penetration test focuses on identifying issues within your cybersecurity plan or your data system, and once those issues are identified, you’ll want a plan to fix any problems. This is known as remediation. Before you set up penetration testing, it’s vital to understand how remediation works and what kind of remediation services you will want for your organization. This guide features all kinds of FAQs about remediation for penetration testing, and what your organization needs to know before you get started.

What is penetration remediation testing?

Remediation testing is the process of retesting vulnerabilities that were identified during a penetration test. It is focused on ensuring that the issues that arose during your penetration test have been properly identified, fixed, and are no longer a threat

What are the goals for penetration remediation testing

The goal of penetration remediation testing is to ensure that the solutions that have been put in place to resolve identified issues have been implemented properly and vulnerabilities have been secured. It is a retest of any issues that arose during your penetration test to ensure the issues are no longer there

Why is remediation testing important?

Remediation testing provides organizations peace of mind that issues which have been identified are being resolved, securing against potential compromises of data. If you have put in a solution to fix an error, an additional test can quickly confirm that your solution works and that the vulnerabilities are gone.

Should all the vulnerabilities we find in a penetration test be remediated

Organizations should have criteria used to evaluate all vulnerabilities and determine whether it should be remediated. The criteria should evaluate the risk of each vulnerability based on the business impact and the exploitability. Any vulnerabilities deemed not risky enough to not require remediation should be monitored to ensure the risk level is not elevated due to changes over time.

Does scheduled patching count as remediation?

Patching is considered remediation if it resolves the vulnerability and can be an important part of your remediation plan.

How do I know when I am ready for a remediation testing?

Once you have patched, reconfigured, or otherwise secured the vulnerabilities and expect them to no longer be vulnerable, you can pursue remediation testing. You should be sure you are completely ready for remediation testing before beginning—if there are still vulnerabilities you will want to continue to remediate until they have all been taken care of.

How long do I have for remediation testing?

It will depend on the organization you choose for penetration testing. Many organizations, including Emagined Security, offer remediation at no charge within 30 days on the same network/application code base. The goal is to ensure your penetration test has brought you appropriate solutions that secure your organization.

Does remediation testing occur as we fix each individual vulnerability or once all findings have been resolved?

Once you have resolved all the findings your organization has deemed should be fixed you can provide a list of vulnerabilities to retest. An organization that requires singular remediation may be a cause for concern as a red flag.

What deliverables are provided post remediation testing to show which findings have been resolved?

When you do a penetration test with a reputable organization, remediation documentation will show what vulnerabilities have been taken care of. The penetration test report will be revised, and a “remediation” section will be added to any of the findings which were deemed ready for retesting. This new section will contain information about whether the vulnerability has been remediated—any vulnerabilities deemed as remediated will be marked as closed. This can give you great peace of mind about what areas of your organization are completely secure.

What if a penetration test finding doesn’t apply to my organization?

Each organization should evaluate all findings and determine whether it should be remediated. If a finding or vulnerability seems low-risk or unconcerning to your organization, you don’t need to worry about remediation.

bottom of page