Remediate Findings
During the remediation phase, you will review the reported findings and take necessary action to fix them, submit them for retest, or accept the risk.
Once pentesters move a finding to Pending Fix, you can:
- Fix the finding and submit it for retest
- Mark the finding as Accepted Risk
Submit a Finding for Retest
After you’ve fixed a finding internally, you can submit it for retest to confirm the fix.
- On the Current Pentest Findings tab of the pentest page, filter for findings in the Pending Fix state.
- Select the desired finding.
- In the State list, select Ready for Retest.
- (Optional) Leave a comment for pentesters. Scroll down to the bottom of the page, enter your comment, and select Comment to confirm.
The pentester who originally reported the finding is notified and will retest the issue within seven (7) days. When finished, the tester will change the finding state to:
- Fixed, if they can’t reproduce the issue.
- Pending Fix, if the issue persists. Read the pentester’s comment for details.
Note
For Agile and Comprehensive Pentests that Cobalt pentesters perform, you can submit findings for retest at any time:
- Until the end of the free retesting period; or
- 10 days before your contract ends.
Cobalt pentesters complete retesting within seven (7) days after submission.
Free Retesting Duration
For Agile and Comprehensive Pentests, free retesting is available based on your PtaaS tier, provided your contract is active.
- Standard tier: 6 months
- Premium and Enterprise tiers: 12 months
Notes:
- Free retesting is only available within an active contract. Your retest end date is either the duration of your purchased tier or 10 days before your contract end date (until 23:59 UTC).
- When you start a pentest right before your contract expires, you may not qualify for retesting. If you add a new contract, we’ll update your retest end date based on the tier your pentest was planned in.
Note
To extend your retest end date, please contact your Customer Success Manager (CSM) or support@cobalt.io.Mark a Finding as Accepted Risk
Once you’ve analyzed a finding, you may want to accept it if:
- The risk associated with the vulnerability is low; or
- You plan to mitigate the finding in a way that doesn’t involve an actual technical fix.
If you determine that the vulnerability does not require a technical fix — either because the risk is low, or you plan to mitigate it through non-technical controls—you can mark it as Accepted Risk.
- On the Current Pentest Findings tab of the pentest page, filter for findings in the Pending Fix state.
- Select the desired finding.
- In the State list, select Accepted Risk.
- In the overlay that appears, select a reason for accepting the risk or specify your own. You can add a note to provide more details.
- Select Submit to confirm.
Users with access to the pentest can see who accepted the risk and view all related details. Findings marked as Accepted Risk will appear in the Post-Test Remediation section of your final report.
Disputing a Finding
If you believe a reported finding is not a valid vulnerability (e.g., it is a false positive, or the associated risk is negligible), you should ask the pentesters to reevaluate it.
- On the finding page, leave a comment explaining why you believe the finding should be reevaluated.
- Tag the appropriate pentester Lead (for Comprehensive tests) or Coordinator (for Agile tests) to ensure they see your request.
- Leave the finding in the Pending Fix state until the reevaluation is complete.
Resolution:
- If pentesters confirm the finding is not a vulnerability after reevaluation, they will Decline the finding.
- If pentesters confirm the finding is a legitimate vulnerability, you can then choose to mark the finding as Accepted Risk if you do not plan to apply a technical fix.