Remediate Findings

Learn how to submit a finding for retest or accept it.

During remediation, review findings that pentesters discovered, and take action on them.

Once pentesters move a finding to Pending Fix, you can:

Pentesters describe findings and provide recommendations on how to fix them. Navigate to the finding page for details.

Submit a Finding for Retest

Once you’ve fixed a finding internally, you can submit it for retest.

  1. On the Findings tab of the pentest page, filter Pending Fix findings.

    Filter Pending Fix findings
  2. Select the desired finding.
  3. In the State list, select Ready for Retest.

    Submit a finding for retest
  4. (Optional) Leave a comment for pentesters. Scroll down to the bottom of the page, enter your comment, and select Comment to confirm.

The pentester who posted the finding gets notified and retests the issue. When finished, they change the finding state to:

  • Fixed, if they can’t reproduce the issue.
  • Pending Fix, if the issue persists. Read the pentester’s comment for details.

Free Retesting Duration

For Agile and Comprehensive Pentests that Cobalt pentesters perform, the timeline for retesting starts after your pentest end date within an active contract. Mark your findings as Ready for Retest at least 10 days before your contract ends.

  • Free retesting is based on your PtaaS tier:
    • Standard tier: 6 months
    • Premium and Enterprise tiers: 12 months
  • Free retesting is only available within an active contract. Your retest end date is either the duration of your purchased tier or 10 days before your contract end date (until 23:59 UTC).
  • When you start a pentest right before your contract expires, you may not qualify for retesting. If you add a new contract, we’ll update your retest end date based on the tier your pentest was planned in.
See an example.

Mark a Finding as Accepted Risk

Once you’ve analyzed a finding, you may want to accept it if:

  • The risk associated with the vulnerability is low; or
  • You plan to mitigate the finding in a way that doesn’t involve an actual technical fix.

If you think a finding is not a vulnerability, ask pentesters to reevaluate it. On the finding page, leave a comment explaining this. Tag a pentest Lead (for Comprehensive pentests) or Coordinator (for Agile pentests). Leave the finding in the Pending Fix state until it’s resolved.

  • If pentesters confirm that the finding is not a vulnerability after reevaluating it, they decline the finding.
  • If pentesters still consider the vulnerability a real finding, you can mark it as Accepted Risk.

To mark a finding as Accepted Risk:

  1. On the Findings tab of the pentest page, filter Pending Fix findings.

    Filter Pending Fix findings
  2. Select the desired finding.
  3. In the State list, select Accepted Risk.

    Mark a finding as Accepted Risk
  4. In the overlay that appears, select a reason for accepting the risk or specify your own. You can add a note to provide more details.

    Select a reason for accepting a finding
  5. Select Submit to confirm.
    • Users who have access to the pentest can see who accepted the risk and view all related details. If needed, they can edit the reason and note.

      Edit a reason for accepting a finding

On the pentest report, in the Post-Test Remediation section, the finding appears as Accepted Risk. You can see details under Accepted Risk Reasons. This information may be relevant to stakeholders you share the report with.

Edit a reason for accepting a finding

Last modified December 18, 2024