What Happens After a Penetration Test: Re-Test, Attestation, and the Evidence Trail

November 26, 2024

Most organisations treat the delivery of the penetration test report as the conclusion of the engagement. The report arrives, findings are reviewed, a remediation plan is discussed, and the pen testing firm moves on. The organisation is left with a document that ages from the moment it is delivered. Within six to twelve months, it no longer accurately represents the security posture it described. Within two years, it may be the only evidence an organisation can produce when a customer, auditor, or regulator asks to see testing results.

The period after a penetration test is where most of the value of the exercise is either captured or lost. Re-testing confirms that findings were actually fixed. Attestation letters give organisations a document they can use for external purposes without sharing the full finding detail. A well-constructed evidence trail means that every subsequent audit, procurement questionnaire, and regulatory review can draw on a clear record of what was tested, what was found, and what was done about it. None of this happens automatically. It requires a process.

Re-Testing: Confirming the Fix Held

Remediation of a penetration test finding is an engineering activity. A developer modifies code, a system administrator changes a configuration, a network engineer updates a firewall rule. These changes might fix the specific issue identified. They might also introduce a new issue, fix the symptom rather than the cause, or apply a fix to one instance of the problem while leaving other instances in place.

Re-testing is the step that confirms the fix held under the same active testing conditions that identified the original finding. A tester who attempts the same technique against the remediated system and is unable to reproduce the finding provides meaningful evidence that the fix was effective. A developer reviewing their own code change does not provide the same assurance. For critical and high-severity findings, re-testing by the original testing team within the re-test window included in the engagement scope is the appropriate approach. For medium findings, a review of the remediation by the testing firm or a qualified internal party may be sufficient depending on the nature of the issue.

Attestation Letters and What They Cover

An attestation letter is a document issued by the penetration testing firm that summarises the scope, dates, and overall outcomes of the engagement without disclosing the specific technical findings. It serves several purposes. It gives the organisation a document they can share with customers, insurers, or procurement teams who want evidence that penetration testing was conducted, without exposing the detail of what was found. It also provides evidence to auditors that testing occurred during a specific period, which is relevant for compliance frameworks that require periodic testing.

Attestation letters should specify:

  • The name and accreditation of the testing firm
  • The dates of the engagement
  • The scope of testing, described at a level of detail that confirms what was covered without disclosing findings
  • A high-level statement about the overall outcome -- for example, whether any critical findings were identified and whether they have been remediated
  • Whether a re-test was conducted and, if so, the outcome

For CREST ANZ-accredited firms, the attestation letter also provides evidence that the testing was conducted by a firm assessed as technically capable of delivering the service. This carries weight in procurement and audit contexts where the qualifications of the testing firm are a consideration.

Building an Evidence Trail for Audit and Procurement

A single penetration test report, however thorough, has limited value in isolation. What auditors and sophisticated procurement teams want to see is a pattern of behaviour over time: evidence that testing is conducted regularly, that findings are tracked and remediated, that the testing programme responds to changes in the environment, and that the organisation treats the output of testing as input to its risk management process rather than as a document to be filed.

An effective evidence trail includes the following records for each testing cycle:

  • The scoped report from the testing firm, retained in a form that demonstrates it has not been altered since delivery
  • A finding register that tracks each finding from identification through remediation or formal risk acceptance
  • Re-test reports or confirmation records for remediated findings
  • Attestation letters for external use
  • Records of any findings that were formally accepted as risk rather than remediated, including the rationale and the sign-off authority
  • Evidence that findings from prior cycles were reviewed in planning the scope of subsequent cycles

This record set is what an ISO 27001 auditor, an APRA-supervised entity's prudential reviewer, or a due diligence team conducting an acquisition assessment will ask to see. Organisations that maintain this record set spend far less time and effort responding to those requests and are far less likely to discover that their testing history has gaps that cannot be retrospectively filled.

When the Evidence Trail Is Used

The evidence trail from penetration testing is used in contexts that most organisations do not anticipate when they commission the test. Cyber liability insurance applications ask about testing frequency and outcomes. Enterprise customers conducting supplier security assessments request evidence of recent penetration testing as a condition of contract. Merger and acquisition due diligence reviews examine the target's security testing history as part of technical risk assessment. Regulatory exams under frameworks like CPS 234 review testing records as a core component of the information security assessment.

In each of these contexts, the question being asked is not just "did you run a penetration test?" It is "did you act on what you found, and can you demonstrate it?" The evidence trail answers that question. A penetration test report alone does not.

To discuss re-testing, attestation, and building an evidence trail for your penetration testing programme, contact Cyberlinx at info@cyberlinx.com.au.

Table of Contents
Resource Type
Blogs
Category
Offensive Security
Written by
Shahbaz Rasheed
Managing Director
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?