July 2, 2026
VAPT Series Part 6: Remediation Validation & Retesting
Closing the loop — how to confirm fixes actually hold, and why retesting is where a VAPT engagement earns its long-term value.

By Muhammad Badhusha Muhyideen Qadiri J
3 min read
Where We Left Off
In Part 6, we walked through post-exploitation and wrapped the engagement with a report — findings, evidence, business impact, and prioritized remediation steps. But a report sitting in an inbox doesn't reduce risk. Risk only goes down when a fix is applied, verified, and proven to hold under retest.
This final part of the core series covers that closing phase: how to validate remediation properly, avoid the common mistakes that let "fixed" vulnerabilities quietly come back, and how to structure a retest so it's efficient for both you and the client.
⚠️ Reminder: Retesting still requires the same written authorization as the original engagement. A closed finding is not blanket permission to re-attack production indefinitely — confirm scope and timing with the client before you start.
Why Retesting Matters
A surprising number of "remediated" findings fail on retest. Common reasons:
- The fix was applied to the wrong system, or only one system in a pool/cluster
- A configuration change was reverted by a later deployment or Group Policy refresh
- The root cause was patched, but a secondary path to the same impact was missed
- The fix introduced a new issue (e.g., overly permissive fallback rule "to keep things working")
- The finding was marked "risk accepted" internally but never actually communicated to the tester
Retesting isn't a formality — it's the step that turns a report into an actual security improvement.
The Retest Workflow
Client marks findings as Remediated
│
▼
Tester reviews remediation evidence
(patch notes, config diffs, screenshots)
│
▼
Retest scoped ── same scope, same rules of engagement
│
▼
Attempt original exploitation path exactly as before
│
▼
┌─────┴─────┐
▼ ▼
Fix Holds Fix Fails / Incomplete
│ │
▼ ▼
Mark Closed Reopen finding + note new evidence
│ │
▼ ▼
Update Report / Issue Retest LetterClient marks findings as Remediated
│
▼
Tester reviews remediation evidence
(patch notes, config diffs, screenshots)
│
▼
Retest scoped ── same scope, same rules of engagement
│
▼
Attempt original exploitation path exactly as before
│
▼
┌─────┴─────┐
▼ ▼
Fix Holds Fix Fails / Incomplete
│ │
▼ ▼
Mark Closed Reopen finding + note new evidence
│ │
▼ ▼
Update Report / Issue Retest Letter1. Review Remediation Evidence First
Before touching the environment again, ask the client for what changed: patch versions, config diffs, screenshots of the new settings, or ticket references. This tells you exactly what to re-verify and often reveals partial fixes before you even connect — e.g., a patch that addresses the CVE but leaves a related misconfiguration in place.
2. Reproduce the Exact Original Path
Retesting means re-running the same steps documented in your original findings — not a fresh assessment. If the original finding was "Kerberoastable service account leads to Domain Admin via BloodHound path X," the retest confirms specifically:
- Is the service account still Kerberoastable?
- If not, does an equivalent path still exist elsewhere?
- Were credentials rotated, or just the immediate technique blocked?
3. Test Adjacent Paths, Not Just the Patched One
A narrow "yes the exact CVE is patched" isn't enough. If your original engagement used BloodHound to map attack paths, rerun it post-remediation — a single blocked edge in the graph rarely eliminates the whole path if other edges into the same target remain.
4. Distinguish "Fixed," "Mitigated," and "Risk Accepted"
Not everything closes with a clean fix. Your retest report should categorize each finding clearly:
StatusMeaningRemediatedOriginal exploitation path no longer works; verified independentlyMitigatedRisk reduced but not eliminated (e.g., compensating control added, underlying issue remains)Not RemediatedFix attempted but original path still worksRisk AcceptedClient has formally chosen not to fix, documented with sign-offUnable to VerifyAccess/scope limitations prevented confirmation either way
This table alone is often the most-referenced part of a retest report by security leadership and auditors.
Writing the Retest Report
Keep it lean — this is a delta document, not a full re-write of the original report.
- Summary of Retest Scope — dates, systems, and which original findings are in scope for this round.
- Status Table — every original finding, its new status (from the table above), and one line of evidence.
- Detailed Notes for Anything Not Fully Remediated — same rigor as an original finding: reproduction steps, evidence, updated remediation guidance.
- Residual Risk Statement — an honest, plain-language summary of what risk remains after this round, useful for compliance and audit purposes (e.g., SOC 2, ISO 27001, PCI-DSS evidence trails).
A Note on the Human Side of Retesting
Remediation is often done under time pressure by teams juggling other priorities. A retest that simply says "still vulnerable" without context can feel punitive and stall the relationship. Where useful:
- Acknowledge partial progress explicitly
- Explain why a fix didn't fully close the path, not just that it didn't
- Offer a quick call instead of another dense document when a finding is complex
The goal of the whole VAPT lifecycle — recon through retest — is a measurably more secure organization, not a scoreboard of who found what. A collaborative tone in this final phase tends to produce faster, more durable fixes than an adversarial one.
Closing the Series
This wraps the core arc of the VAPT series:
- Reconnaissance
- Scanning & Enumeration
- Vulnerability Analysis
- (Weaponization / Planning)
- Exploitation
- Post-Exploitation & Reporting
- Remediation Validation & Retesting
From here, real engagements loop back to Part 1 for the next assessment cycle — VAPT isn't a one-time event but a recurring part of an organization's security posture. Future posts in this series may branch into specialized tracks (cloud VAPT, mobile app testing, red team vs. purple team exercises) — let me know which direction is most useful to cover next.