If you’re on an IT team that struggles to remediate pentest findings, this email is for you. I’ve pentested hundreds of organizations and chances are I have helped organizations just like you with this exact issue.

Ethical Threat Insight: 30-60-90 Day Pentest Remediation Plan

Before we get to the remediation plan, there are three major issues we need to address first, to get you to a point where you are reliably remediating pentest findings.

  1. Ownership: Give everyone on the team responsibility for specific findings. It’s their job the track down the RCA and to get the issue fixed. Now if you’re a 1-2 person IT shop, I empathize. I know its not easy.

  2. Deadlines: Give the team (or yourself) deadlines for when the issues need to be fixed by. No deadlines means you’ll just end up kicking the can down the road. I’ve been there I know…

  3. RCA (root cause analysis): Every finding has to have a root cause analysis done. This doesn’t have to be some big formal thing. Some issues its easy to identify and others takes a bit more work. But I promise you this will help you prevent repeat findings.

30-60-90 Remediation Plan

Here’s what you’re going to do over the next 30, 60, and 90 days to eliminate all of the findings from your pentest report.

30 Days

Right after you receive the report you should be creating a prioritized remediation plan that takes into consideration finding severity, exploitability and remediation impact.

This is your finding hit list.

Sort this list by putting the most severe, most exploitable and lowest remediation impact at the top.

Assign ownership to the team along with deadlines.

Also near the top of this list should be findings that are not that severe, have some exploitability potential and also have low remediation impact. These are your low hanging fruit.

At the bottom of this list are the findings that are lower severity, not exploitable and have higher remediation impact.

Before going any further, you obviously want to address the most sever and exploitable issues first and foremost. Things like ESC1 that allow for immediate domain privilege escalation. Or SQL injection in your web application.

Regardless of remediation impact if the issue is immediately exploitable it has to be addressed first.

The last thing you’re going to do in this 30-day window is root cause analysis on each of the findings. Keep it simple and don’t overdue it. But you have to identify if that finding is part of a larger issue.

60 Days

Now this is where having a team really pays off. They should already be working on fixing the “low hanging fruit.”

You can likely address these issues within a day or two and depending on your workload. And you likely can even tackle these within the 30-day window.

Next up in the 60-day window are the things that require a bit more planning and preparation to fix. Things in this category will be issues that require communication across the organization.

Issues here will be severe, however, they will likely have pre-requisites in order to be exploited.

90 Days

By now, if you have a team, and you have assigned ownership of the findings and you have set deadlines, you should have a majority of the issues fixed. Now I know it depends and sometimes there are serious issues that require extensive remediations and even full blown redesigning.

But in my experience, most pentest reports are full of low-hanging fruit.

It’s during this phase where you want to consider the threat detection aspects of your pentest findings. For example, if you had an internal pentest and the tester was able to kerberoast admin accounts but no alerts were generated, that’s something you really need to figure out.

Now what?

At this point in the process you likely have all your low-hanging fruit findings remediated, you have your moderately difficult to fix findings remediation or mostly remediation and you’ve got some long term items that will require more effort.

This is now where I’d say you’re ready for retesting. And if I can encourage you to do one thing, it’s to not skip over retesting.

When I do retesting, I inevitably find a small percentage of findings have not been fully remediated.

You’ve spent all this time and effort, bring the pentesters back and make sure the findings are fixed. You get a cleaner report but more importantly you get the confidence of knowing those issues are fixed for good.

Remediating pentest findings is one of the most common pitfalls I see IT teams make. And if you’re like me, you’re often left wondering if this pentest you did made you safer or not.

In this episode of the Cyber Threat Perspective, I talk about this exact issue and how to avoid it.

Listen or watch here

All the best
Spencer Alessi

PS - The longer you wait to fix findings from your pentest, the higher the chances of you never fixing it are. Fix fast, fix smart.

Keep Reading

© 2026 Ethical Threat Insights.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv