Something you’ve likely already encountered on your penetration testing service quotes are the inclusion or add-on of a re-test. Some organizations use this as a differentiator by including it with their quotes and some offering it simply as an add-on. It’s something you should determine if its right for your organization and if so, what style to choose from.
A re-test is a follow-up assessment where aspects of the findings are revisited to determine if they have been fully remediated. Traditionally this will occur after a specified time, usually up to 60-90 days after the findings report has been delivered. However, there can be different caveats to what is re-tested. Most often it is either any finding or only critical/high risk findings that will be retested. It’s important to make the distinction before you agree to the terms, so be sure to fully understand what the re-test encompasses.
As with most things, there is no one-size fits all when it comes to security, but it is best practice to perform re-tests. However, if you have a tight budget then perhaps the following will lend a hand in making the decision. If this is one of your first penetration test, then you’ll likely have many findings, and a retest will give you more bang for your buck versus a more mature security program. Additionally, if you are doing this for compliance purposes or hesitant to provide the findings report to senior leadership with a bad score, then a re-test will allow you to have a much cleaner report with issues resolved before you must hand it over.
Re-tests don’t have to be complicated, and it doesn’t need to cost you an arm and a leg either. Discuss the parameters of the re-test with your penetration testing service provider and ensure it’s covering exactly what you require. If you have any questions or would like to further discuss re-test options, contact us.