Contact Us
Contact Us
Back to Blog
  • Home
  • Blog
  • Is a Penetration Test Retest Included in Your Quote?
By: JR Johnson
3 Min Read
re-test

Is a Penetration Test Retest Included in Your Quote?

When comparing penetration testing quotes, one of the most overlooked items is whether a penetration test retest is included. Retesting allows a security firm to validate that vulnerabilities discovered during the original penetration test have been properly remediated. Understanding how penetration testing retesting is priced and delivered can help organizations compare vendors more effectively. We’ll quickly explain here what this activity usually consists of, what the benefits are, and how we approach retesting.

What is a Retest?

A retest is generally defined as a follow-up to a full security assessment or penetration test where all, or a subset, of the discovered vulnerabilities are checked to ensure they’ve really been remediated. Usually, this happens after a specified period of time following the original assessment (up to 90 days after, typically). Sometimes teams only fix the Critical and High priority findings, but that is entirely up to the organization.

Benefits of a Penetration Test Retest

This is a great activity that can provide many benefits to your organization, including:

  • Get vulnerabilities fixed quickly, since your team is under a pretty strict time limit.
  • Quickly show improvement, internally or to third-parties and regulatory agencies, and come away with a clean(er) report.
  • Reduce cost. It’s less expensive (and in our case free!) to re-test specific items following an assessment then perform another whole assessment.
  • Be sure you’ve really fixed the items you think you have, because the security engineer who discovered the issue is the one verifying the fix.

How Does a Penetration Test Retest Affect Pricing?

Retests can make comparing quotes from different penetration testing companies difficult. We’ve covered some of the challenges in comparing penetration testing quotes previously, but we try to make your life easier as the retesting is included in our upfront pricing. This helps you avoid going back to leadership for additional budgetary approval and entering into an engagement with a variable cost structure, as you won’t know how much the retesting process will cost later. Some firms opt for a fixed-price retest quote or a time-and-materials (T&M) hourly retest quote, but unless you ask for the details of these upfront it can create a surprise for you later in the process.

penetration test retest comparison of advantages

Our Approach to Re-Tests

With all of this in mind, how do we handle retests? We automatically include re-tests in all of our penetration testing quotes. We do this to help encourage timely remediation of the issues that we find and to provide some assurance that the intended fixes were effective instead of having to wait until your next full penetration test. Additionally, retesting is often a requirement for many compliance standards, including SOC 2 Type II and PCI DSS. So rather than go through the hassle of signing a second contract, knocking everything out at the beginning streamlines the entire process. Once you let us know that the relevant fixes are in place, we can usually turn around a retest pretty quickly to get you the validation you need.

Is a retest included with every penetration test?

Certainly not across every penetration testing vendor. But at Triaxiom Security, yes, a one-time retest within 90 days of the completion of the assessment is included with every penetration test.

How long after a penetration test should retesting occur?

We provide a 90-day window for retesting following the completion of the assessment to ensure fixes happen in a timely manner and the environment is reasonably close to when the original assessment occurred. The longer period of time between the original test and the retest can significantly skew results and our ability to validate a vulnerability has been closed, as network changes, host changes, addressing changes, etc. will have occurred.

Do compliance frameworks require retesting?

This will largely depend on the particular framework, but most either require it or strongly prefer it as evidence that action is taken following a penetration test. PCI DSS, as one example, requires all Critical/High priority issues be addressed following a penetration test. But SOC 2 doesn’t specifically mandate a penetration test or retesting (although many auditors will want this as evidence that security controls and remediation cycles are functioning as expected).

What is the difference between a retest and a new penetration test?

The primary difference is that a retest is only trying to validate fixes for the vulnerabilities initially identified and subsequently remediated, whereas a full test will seek to identify new vulnerabilities, validate fixes for previously identified issues, and re-run all phases of a penetration test. With a retest, we can streamline that process because we already know what vulnerabilities affect which specific hosts and what exploitation process we

Contact us if you’d like to discuss further!

JR Johnson

JR is a Principal Security Engineer at Triaxiom Security. He holds a BS in Computer Science Engineering from the University of Florida and a MS in Information Assurance and Cybersecurity from the Florida Institute of Technology, and is an avid collector of security-related certifications, including OSCP, OSWE, GWAPT, CISSP, C|EH, CISA, and PCI QSA. You can find him on Twitter @InfoSecJR.

Previous ArticleCommon Web App Vulnerabilities

Popular Posts