Should I get a “Re-test” with my penetration assessment?

  • Home
  • Blog
  • Should I get a “Re-test” with my penetration assessment?
Should I get a “Re-test” with my penetration assessment?

Something you’ve likely already encountered on your penetration testing service quotes are the inclusion or add-on of a re-test. Some organizations use this as a differentiator by including it with their quotes and some offering it simply as an add-on. It’s something you should determine if its right for your organization and if so, what style to choose from.

What’s a re-test?

A re-test is a follow-up assessment where aspects of the findings are revisited to determine if they have been fully remediated. Traditionally this will occur after a specified time, usually up to 60-90 days after the findings report has been delivered. However, there can be different caveats to what is re-tested. Most often it is either any finding or only critical/high risk findings that will be retested. It’s important to make the distinction before you agree to the terms, so be sure to fully understand what the re-test encompasses.

Is a retest right for me?

As with most things, there is no one-size fits all when it comes to security, but it is best practice to perform re-tests. However, if you have a tight budget then perhaps the following will lend a hand in making the decision. If this is one of your first penetration test, then you’ll likely have many findings, and a retest will give you more bang for your buck versus a more mature security program. Additionally, if you are doing this for compliance purposes or hesitant to provide the findings report to senior leadership with a bad score, then a re-test will allow you to have a much cleaner report with issues resolved before you must hand it over.

Benefits of a re-test

  • It ensures you fully corrected the issues discovered on your penetration test.
  • Re-test’s are considerably less expensive than performing the entire assessment again.
  • With the time limit, it typically gets issues resolved quickly that may have dragged out otherwise.
  • It provides a cleaner report to senior leadership with issues resolved when they are shared.

Cons of a re-test

  • Can make comparing quotes from different penetration testing organizations more difficult.
  • It can sometimes cause resourcing constraints with issues needing to be remediated quickly.
  • You’ll need to understand exactly what is in scope on a re-test before agreeing.

Conclusion

Re-tests don’t have to be complicated, and it doesn’t need to cost you an arm and a leg either. Discuss the parameters of the re-test with your penetration testing service provider and ensure it’s covering exactly what you require. If you have any questions or would like to further discuss re-test options, contact us.

Leave a Reply

Your email address will not be published. Required fields are marked *