Learn how to submit a finding for retest or accept it.

Learn how to submit a finding for retest or accept it.


:::info
During remediation, review findings that pentesters discovered, and take action on them.

:::

Once pentesters move a finding to [Pending Fix](https://docs.cobalt.io/en-us/articles/remediate-findings-22WPR0Fnlv#h-submit-a-finding-for-retest), you can:

* Fix the finding and submit it for retest
* Mark the finding as Accepted Risk

## Submit a Finding for Retest

After you’ve fixed a finding internally, you can submit it for retest to confirm the fix.


1. On the **Current Pentest Findings** tab of the pentest page, filter for findings in the **Pending Fix** state.
2. Select the desired finding.
3. In the **State** list, select **Ready for Retest**.
4. (Optional) Leave a comment for pentesters. Scroll down to the bottom of the page, enter your comment, and select **Comment** to confirm.

The pentester who originally reported the finding is notified and will retest the issue within **seven (7) days**. When finished, the tester will change the [finding state](https://docs.cobalt.io/en-us/articles/finding-states-De6IE4W5Zw) to:

* Fixed, if they can’t reproduce the issue.
* Pending Fix, if the issue persists. Read the pentester’s comment for details.


:::info
#### Note

For Agile and Comprehensive Pentests that Cobalt pentesters perform, you can submit findings for retest at any time:

* Until the end of the free retesting period; or
* 10 days before your contract ends.

Cobalt pentesters complete retesting within seven (7) days after submission.

:::

### Free Retesting Duration

For Agile and Comprehensive Pentests, free retesting is available based on your [PtaaS tier](https://www.cobalt.io/pentest-pricing), provided your contract is active.

* Standard tier: 6 months
* Premium and Enterprise tiers: 12 months


:::info
Notes:

* Free retesting is only available within an active contract. Your retest end date is either the duration of your purchased tier or 10 days before your contract end date (until 23:59 UTC).
* When you start a pentest right before your contract expires, you may not qualify for retesting. If you add a new contract, we’ll update your retest end date based on the tier your pentest was planned in.

:::

### See an example.

The Standard contract duration is from January 1, 2025 to December 31, 2025.

You have a pentest moved to Planned on December 18, 2025 with a start date of December 20, 2025 and an end date of January 3, 2026. The free retesting end date for this pentest is December 21, 2025, until 23:59 UTC (10 days before your current contract end date).

Then on December 30, 2025, you signed a new Enterprise contract for a period from January 1, 2026 to December 31, 2026. To recalculate the free retesting end date for your pentest planned on December 18, we’ll look at the Standard tier. Since you extended your contract, we’ll also update your retesting end date from January 3, 2026 23:59 UTC to June 3, 2026 23:59 UTC (6 months for Standard tier).


:::info
#### Note

To extend your retest end date, please contact your Customer Success Manager (CSM) or [support@cobalt.io](mailto:support@cobalt.io).

:::

## Mark a Finding as Accepted Risk

Once you’ve analyzed a finding, you may want to accept it if:

* The risk associated with the vulnerability is low; or
* You plan to mitigate the finding in a way that doesn’t involve an actual technical fix.

If you determine that the vulnerability does not require a technical fix — either because the risk is low, or you plan to mitigate it through non-technical controls—you can mark it as Accepted Risk.


1. On the **Current Pentest Findings** tab of the pentest page, filter for findings in the **Pending Fix** state.
2. Select the desired finding.
3. In the **State** list, select **Accepted Risk**.
4. In the overlay that appears, select a reason for accepting the risk or specify your own. You can add a note to provide more details.
5. Select **Submit** to confirm.

Users with access to the pentest can see who accepted the risk and view all related details. Findings marked as Accepted Risk will appear in the Post-Test Remediation section of your final report.

## Disputing a Finding

If you believe a reported finding is not a valid vulnerability (e.g., it is a false positive, or the associated risk is negligible), you should ask the pentesters to reevaluate it.


1. On the finding page, leave a comment explaining why you believe the finding should be reevaluated.
2. Tag the appropriate pentester Lead (for Comprehensive tests) or Coordinator (for Agile tests) to ensure they see your request.
3. Leave the finding in the Pending Fix state until the reevaluation is complete.

**Resolution:**

* If pentesters confirm the finding is not a vulnerability after reevaluation, they will Decline the finding.
* If pentesters confirm the finding is a legitimate vulnerability, you can then choose to mark the finding as Accepted Risk if you do not plan to apply a technical fix.




Remediate Findings

Pentests

Overview

Asset Details

Pentest Details

Scope & Test Period

Preparation

Create a Pentest

Pentest Process

Pentest States

Coverage Checklist

Pentest Expectations

Set Up an In-House Pentest

Complete an In-House Pentest (For Pentesters)

In House Pentests

Severity Levels

Finding States

Findings

Customize Your Report

Co-branded Reports

Contents of a Pentest Report

Reports

How to get started with Cobalt

Getting Started

Risk Advisories

Assets are what we pentest

Asset Types

Create an Asset

Assets

Engagements Overview

Digital Risk Assessment

Secure Code Review

Engagements

Insights

Planning

Cobalt Methodologies Overview

Web Methodologies

API Methodologies

External Network Methodologies

Internal Network Methodologies

Mobile Methodologies

Cloud Configuration Review Methodologies

Cloud Pentest Methodology

Desktop Methodologies

AI/LLM Methodologies

Digital Risk Assessment Methodology

Secure Code Review Methodologies

Methodologies

Attack Surface Monitoring (ASM)

Attack Surface

DAST Scanner Overview

Best Practices

Integrations

Partial Scans: Reduced Scope

Scans

Sequence recorder

Targets

Target Authentication

Extra Hosts

Blackout Period

DAST Scanner

Account Overview

Account Settings

Password Best Practices

Sign In to Cobalt

Troubleshoot Sign-in Issues

User Account

Collaboration Overview

Collaborate on Pentests

Groups

Manage Pentest Collaborators

Manage Notifications

User Roles and Permissions

Collaboration

Organization Overview

Manage Users

Your Cobalt Contract

How to Configure SAML 2.0 for Cobalt 

SAML Migration: Update Your Configuration

Configure SAML SSO

SCIM Provisioning Setup Guide

Configure Organization Settings

Organization

Cobalt Credits

Track Your Credits

Cobalt PtaaS Tiers

Credits

Cobalt Integrations Overview

Connect your applications

Create GitHub tickets for Findings

Send MS Teams notifications for Findings

Create Azure DevOps Work Item for Findings

Create Jira tickets for Findings

Send email notifications for Findings from Outlook

Create GitLab tickets for Findings

HTTP Connector

Import Assets from Google Sheets

Map Cobalt Pentest Finding Severity to Jira Issue Priority

Modify Jira Issue Summary to contain Pentest Title

How to Guides

Troubleshooting

Integration Builder

Jira Data Center Integration

Push Cobalt Findings to Jira

Switching to a New Jira Instance

Jira Cloud Integration

Troubleshoot Your Jira Integration

Synchronize Cobalt Severity Levels with Jira

Integrate Jira with Cobalt

Slack

Microsoft Teams

Webhooks

DefectDojo

Kenna Security

Vanta

Carried Over Findings

Create Test Finding

Cobalt API Overview

Partner Integrations

API Versions

Events

Errors

Subscription

Introduction

Authentication

EU Data Center

Organizations

Engagement Findings

DAST Targets

DAST Scans

DAST Scheduled Scans

DAST Findings

External Ticket References

Tokens

Pagination

Idempotency

Rate Limits

Create a Personal Cobalt API Token

Changelog

Get an Organization Token

Revoke Your Personal Cobalt API Tokens

Create or Modify an Asset

Import Findings to Google Sheets

Cobalt API

Glossary

March 2026

February 2026

January 2026

November 2025 

August 2025

July 2025

June 2025

May 2025

April 2025

March 2025

January 2025

December 2024

November 2024

October 2024

September 2024

August 2024

July 2024

June 2024

May 2024

April 2024

March 2024

January 2024

What's New

Guide

Cobalt Product Documentation

Remediate Findings

Share

Share

Remediate Findings

Share

Share