Remediate Findings
During remediation, review findings that pentesters discovered, and take action on them.
Once pentesters move a finding to Pending Fix, you can:
- Fix the finding and submit it for retest
- Mark the finding as Accepted Risk
Pentesters describe findings and provide recommendations on how to fix them. Navigate to the finding page for details.
Submit a Finding for Retest
Once you’ve fixed a finding internally, you can submit it for retest.
- On the Findings tab of the pentest page, filter Pending Fix findings.
- Select the desired finding.
- In the State list, select Ready for Retest.
- (Optional) Leave a comment for pentesters. Scroll down to the bottom of the page, enter your comment, and select Comment to confirm.
The pentester who posted the finding gets notified and retests the issue. When finished, they change the finding state to:
- Fixed, if they can’t reproduce the issue.
- Pending Fix, if the issue persists. Read the pentester’s comment for details.
Note
For Agile and Comprehensive Pentests that Cobalt pentesters perform, you can submit findings for retest at any time:
- Until the end of the free retesting period; or
- 10 days before your contract ends.
Cobalt pentesters complete retesting within seven (7) days after submission.
Free Retesting Duration
For Agile and Comprehensive Pentests that Cobalt pentesters perform, the timeline for retesting starts after your pentest end date within an active contract. Mark your findings as Ready for Retest at least 10 days before your contract ends.
- Free retesting is based on your PtaaS tier:
- Standard tier: 6 months
- Premium and Enterprise tiers: 12 months
- Free retesting is only available within an active contract. Your retest end date is either the duration of your purchased tier or 10 days before your contract end date (until 23:59 UTC).
- When you start a pentest right before your contract expires, you may not qualify for retesting. If you add a new contract, we’ll update your retest end date based on the tier your pentest was planned in.
Note
To extend your retest end date, please contact your Customer Success Manager (CSM) or support@cobalt.io.Mark a Finding as Accepted Risk
Once you’ve analyzed a finding, you may want to accept it if:
- The risk associated with the vulnerability is low; or
- You plan to mitigate the finding in a way that doesn’t involve an actual technical fix.
If you think a finding is not a vulnerability, ask pentesters to reevaluate it. On the finding page, leave a comment explaining this. Tag a pentest Lead (for Comprehensive pentests) or Coordinator (for Agile pentests). Leave the finding in the Pending Fix state until it’s resolved.
- If pentesters confirm that the finding is not a vulnerability after reevaluating it, they decline the finding.
- If pentesters still consider the vulnerability a real finding, you can mark it as Accepted Risk.
To mark a finding as Accepted Risk:
- On the Findings tab of the pentest page, filter Pending Fix findings.
- Select the desired finding.
- In the State list, select Accepted Risk.
- In the overlay that appears, select a reason for accepting the risk or specify your own. You can add a note to provide more details.
- Select Submit to confirm.
- Users who have access to the pentest can see who accepted the risk and view all related details. If needed, they can edit the reason and note.
- Users who have access to the pentest can see who accepted the risk and view all related details. If needed, they can edit the reason and note.
On the pentest report, in the Post-Test Remediation section, the finding appears as Accepted Risk. You can see details under Accepted Risk Reasons. This information may be relevant to stakeholders you share the report with.
