Most security programs have a clean intake workflow and a broken verification workflow. The vulnerability gets reported, assigned, fixed — and then sits in 'awaiting retest' for weeks because the original tester moved on, the engagement closed, or the retest is billed separately and someone has to approve the budget.
#Why this is the bottleneck that matters
Time-to-verify is more predictive of program health than time-to-fix. A fast fix that never gets verified is silent rot: the team thinks the issue is closed, the underlying root cause may or may not be addressed, the same class will likely recur.
#What the workflow looks like
- 01Finding lands in queue with PoC, fix guidance, and an attached automated re-exploit script.
- 02Engineer pushes the fix; the PR labels itself security-fix:{finding-id}.
- 03Pipeline re-runs the exploit against the fix branch automatically.
- 04If the exploit still works, the PR comment surfaces the still-vulnerable status; the finding stays open.
- 05If the exploit fails as expected, the original tester gets a notification to do a five-minute human sanity check.
- 06Tester confirms; finding closes; audit trail updates.
We tried fully automating retest closure. It worked until the day a fix passed automated retest while leaving a more subtle variant of the same bug intact. Five minutes of human review is cheap insurance.
#What changed when we shipped this
Retest used to be the worst-rated part of every engagement on our customer survey. After this workflow, it stopped being a topic — which is what we wanted. The boring workflow is the working workflow.
Writing about modern penetration testing, continuous security, and the operational details of running offensive work at scale.