Is a Re-Test Included in my Penetration Test?

One of the key differences we’ve seen between penetration testing quotes is the inclusion of a re-test. A re-test of discovered findings is one of those things in the security consulting industry that seems to have become a topic of fierce debate, as many organizations are trying to leverage it as a differentiator. Getting discovered findings re-tested is absolutely a best practice, and we highly recommend it. We’ll quickly explain here what this activity usually consists of, what the benefits are, some of the challenges the inclusion of this activity can cause for budgetary purposes, and how we approach re-testing.

What is a Re-Test?

A re-test is generally defined as a follow-up assessment where all or a subset of the discovered vulnerabilities from a penetration test are checked to ensure they’ve really been remediated. Usually, this happens after a specified period of time following the original assessment (up to 60 – 90 days after the findings are delivered, typically). Sometimes it will be only Critical and High priority findings that are re-tested, but most of the time this is up to you.

Benefits of a Re-Test

This is a great activity that can provide many benefits to your organization, including:

  • Get vulnerabilities fixed quickly, since your team is under a pretty strict time limit.
  • Quickly show improvement, internally or to third-parties and regulatory agencies, and come away with a clean(er) report.
  • Reduce cost. It’s less expensive to re-test specific items following an assessment then perform another whole assessment further down the road.
  • Be sure you’ve really fixed the items you think you have, because the engineer who found the issue is verifying it.

Drawbacks

Re-tests are not a bad thing, but they can make comparing quotes from different penetration testing companies difficult. Oftentimes, this will come in the form of companies offering “free re-tests,” but nothing is free! It won’t be a separate line item on a proposal and the cost will be wrapped into the total price of the assessment. Similarly, since it’s wrapped into the total cost, it may be hard to understand how much the re-test is really setting you back compared to the core penetration testing activities. We’ve covered some of the challenges in comparing penetration testing quotes here.

Our Approach to Re-Tests

With all of this in mind, how do we handle re-tests? Well, as is our approach to many problems, it depends on what fits best for your organization. We don’t automatically include re-tests in any of our penetration testing quotes, but would be happy to upon request. We will generally make a recommendation based on your situation. If this is your first time performing any type of security testing or penetration testing, a full re-test would probably make sense as you’ll likely have good number of fixes to consider. When we bundle it in with your initial quote, it allows us to reduce the price by leveraging some of the scheduling and management efficiencies, and it will be capped at half the cost of the original assessment. If your organization has a more mature security program and this isn’t your first rodeo, we’ll often recommend to wait until after the assessment to decide on a re-test. By doing this, you can select exactly what issues you’re going to fix and we can determine how long it will take our engineers to validate the fixes. In this way you’ve got flexible pricing for validating a smaller number of vulnerabilities and we have flexibility in scheduling these efforts.