top of page


If you are working with a cybersecurity company or an internal IT team to perform penetration testing, you’ll need to know what to do after your pentest is complete. A penetration test focuses on identifying issues within your cybersecurity plan or your data system, and once those issues are identified, you’ll want a plan to fix any problems. This is known as remediation. Before you set up penetration testing, it’s vital to understand how remediation works and what kind of remediation services you will want for your organization. This guide features all kinds of FAQs about remediation for penetration testing, and what your organization needs to know before you get started.

What is penetration remediation testing?

Remediation testing is the process of retesting vulnerabilities that were identified during a penetration test. It is focused on ensuring that the issues that arose during your penetration test have been properly identified, fixed, and are no longer a threat

What are the goals for penetration remediation testing

The goal of penetration remediation testing is to ensure that the solutions that have been put in place to resolve identified issues have been implemented properly and vulnerabilities have been secured. It is a retest of any issues that arose during your penetration test to ensure the issues are no longer there

Why is remediation testing important?

Remediation testing provides organizations peace of mind that issues which have been identified are being resolved, securing against potential compromises of data. If you have put in a solution to fix an error, an additional test can quickly confirm that your solution works and that the vulnerabilities are gone.

Should all the vulnerabilities we find in a penetration test be remediated

Organizations should have criteria used to evaluate all vulnerabilities and determine whether it should be remediated. The criteria should evaluate the risk of each vulnerability based on the business impact and the exploitability. Any vulnerabilities deemed not risky enough to not require remediation should be monitored to ensure the risk level is not elevated due to changes over time.