What Happens If You Fail a Penetration Test

There's no pass/fail on a penetration test. But if you discovered serious vulnerabilities, here's what you need to do next and how to approach remediation without panic.

Understanding Penetration Test Results

A penetration test doesn't pass or fail like an exam. Instead, it produces findings—vulnerabilities an ethical hacker was able to exploit. The value comes from knowing what was found and fixing it.

Test results typically fall into categories:

• Critical: Vulnerabilities allowing immediate access to sensitive systems or data. Fix immediately (days, not weeks)
• High: Vulnerabilities allowing access to important systems or widespread compromise. Fix within 30 days
• Medium: Vulnerabilities requiring multiple steps to exploit or limited scope. Fix within 60 days
• Low: Vulnerabilities with minimal practical impact or easy workarounds. Address within 90 days
• Informational: Configuration issues or best practice recommendations. No timeline required, but worthwhile to address

The Emotional Response (And Why It's Normal)

When you get a penetration test report showing dozens of vulnerabilities, the initial reaction is often panic, denial, or blame. This is normal. You just learned that your security isn't as solid as you thought.

But here's what matters: You discovered these vulnerabilities in a controlled test, not during an actual attack. That's the entire point of penetration testing. You now have the opportunity to fix them before attackers discover them.

Organizations that respond with action instead of defensiveness come out ahead. This is your competitive advantage.

What Vulnerabilities Actually Mean

Unpatched Systems

If the test found unpatched systems, it means either you don't have a patch management process, or the process is broken. This is fixable: establish formal patch management with timelines for critical, high, and medium priority patches.

Weak Authentication

No MFA, shared credentials, default passwords, or weak password policies. This is one of the most common findings and one of the fastest to fix. Implementing MFA can happen within days.

Network Segmentation Issues

Systems that shouldn't be accessible from certain networks are accessible. This requires network architecture changes, which take longer to plan and implement. But documenting the desired network design is immediate.

Misconfigured Access Controls

Users have more privileges than their job requires. A developer shouldn't have admin access to production databases. This usually means reviewing your access matrix and updating permission levels.

Insufficient Logging or Monitoring

Attackers can operate undetected because activity isn't logged. This requires configuration of logging, centralized log management, and monitoring rules—all implementable but requiring planning.

Web Application Vulnerabilities

SQL injection, cross-site scripting (XSS), authentication bypass in your applications. These require developer time to fix and may take weeks to months depending on backlog and severity.

Physical Security Gaps

Server rooms, sensitive areas, or equipment accessible without proper controls. Fixing physical security usually requires capital investment and facility changes.

Immediate Actions (Next 24-48 Hours)

Assemble a Response Team

Get key stakeholders together:

• IT leadership
• Security team (if you have one)
• Executive sponsor (CFO or COO who owns security budget)
• Technical leads for affected systems

Review the Full Report

Read the entire penetration test report before reacting publicly. Understand what was actually found, how it was exploited, and what impact it could have.

Identify Critical Issues Requiring Immediate Action

Some vulnerabilities need fixing within days:

• Actively exploitable remote access vulnerabilities
• Completely unauthenticated access to critical systems
• Default credentials still in use
• Known exploits matching your environment

Create a 48-hour action plan for these. Deploy patches, disable vulnerable services, or implement temporary access controls.

Communicate, But Don't Panic

Internal communication: "We conducted a security assessment and identified some issues. We have a plan to address them." This doesn't need to be dramatic. Penetration testing is a normal part of security management.

Don't immediately broadcast findings to the board or customers. Let your team understand the issues and develop solutions first.

Building Your Remediation Plan

Prioritize by Risk and Effort

Create a matrix:

• High risk, low effort: Do immediately (MFA implementation, patch critical systems)
• High risk, high effort: Plan now, execute over coming months (network redesign, application refactoring)
• Low risk, low effort: Batch these together and complete opportunistically
• Low risk, high effort: Don't do unless required for compliance

Timeline: The 30-60-90 Day Plan

Days 1-30:

• Patch all critical vulnerabilities
• Implement MFA on remote access
• Change any default credentials
• Disable unnecessary services
• Fix the most easily exploitable findings

Days 31-60:

• Patch all high-priority vulnerabilities
• Implement access control reviews
• Deploy endpoint monitoring if not already in place
• Complete web application remediation for critical issues

Days 61-90:

• Address medium-priority findings
• Implement monitoring and alerting
• Complete network segmentation improvements
• Plan for remaining findings

Assign Owners and Accountability

Each finding needs an owner—the person responsible for fixing it. Create a tracking sheet:

• Vulnerability description
• Risk rating (critical/high/medium/low)
• Owner
• Target remediation date
• Status (open/in progress/fixed/verified)

Review this weekly until all critical and high findings are resolved.

Budget and Resource Allocation

Some remediation requires budget:

• Tools (MFA, monitoring, endpoint detection)
• Contractor expertise (if you don't have capability internally)
• System upgrades (replacing unsupported hardware)
• Professional services (security consulting, architecture design)

Get this approved quickly. Delayed decisions slow remediation.

Common Remediation Approaches

Patch Management

Create a formal process if you don't have one:

• Inventory all systems and software
• Subscribe to vendor security bulletins
• Test patches in non-production before deploying
• Deploy on schedule: critical (30 days), high (60 days), medium (90 days)
• Maintain backups before patching mission-critical systems

Multi-Factor Authentication (MFA)

Start with highest-risk access points:

• Remote access (VPN, RDP)
• Email and collaboration tools
• Administrative accounts
• Cloud services (Microsoft 365, AWS, etc.)

Hardware tokens (FIDO2) are best, but authenticator apps are fine for most organizations.

Access Control Review

For each system, document who has access and why:

• Remove access for terminated employees
• Remove access people don't need for their job
• Replace shared credentials with individual accounts
• Implement principle of least privilege

Monitoring and Logging

Implement centralized logging for:

• All authentication attempts (successful and failed)
• Administrative actions
• Access to sensitive data
• System changes and configuration updates

Set up alerts for suspicious activity. Start simple (unusual login times, multiple failed attempts) and expand over time.

Network Segmentation

If the test revealed that an attacker could move freely across your network:

• Map your network architecture
• Identify systems that should be isolated
• Implement firewalls or VLANs to restrict traffic
• Test connectivity to ensure legitimate systems can still communicate

This is more involved but critical for defense-in-depth.

Verification: Retesting and Validation

After remediation, verify that fixes actually work:

Internal Validation

Your team tests that fixes work before declaring victory. This is quick and catches obvious failures.

Retesting with Your Penetration Tester

After major remediation, schedule a retest engagement. This is much cheaper than the original test (usually 30-50% of original cost) because you're only testing specific findings. This validates that your fixes actually work against an expert attacker.

Ongoing Monitoring

After fixes are in place, monitor that they stay fixed:

• Verify patches continue to be applied
• Monitor that MFA stays enabled
• Review access lists regularly
• Check logs for anomalies

If You Find Serious Vulnerabilities

Breach-Level Severity

If the test revealed vulnerabilities that could allow attackers to access sensitive data or disrupt operations, treat it as a breach that hasn't happened yet:

• Patch immediately (within days, not weeks)
• Implement monitoring to detect if vulnerabilities were exploited
• Check logs for signs of compromise during the "window of vulnerability"
• Consider hiring incident response professionals to review logs and validate you weren't compromised

If You Were Actually Compromised

If while reviewing the test findings you discover evidence that your systems were actually compromised:

• Immediately engage incident response professionals
• Notify legal, insurance, and board
• Begin breach notification process if required
• Preserve all logs and evidence

This is rare but possible. Better to discover it during testing than in the news.

Turning Findings Into Security Improvements

Penetration testing is most valuable when it drives real improvements:

• Process improvements: Formalize your patch management, access control review, and security monitoring
• Tools and technology: Implement missing security controls (MFA, monitoring, firewalls)
• Policy updates: Update security policies to address findings and prevent future issues
• Training: If social engineering or phishing was successful, enhance user awareness training
• Culture change: Use findings to justify security investments and build security awareness across the organization

Long-Term: Making This Sustainable

One-time remediation isn't enough. Build a program:

• Annual penetration testing: Conduct testing yearly to identify new vulnerabilities
• Vulnerability scanning: Run automated scans monthly or quarterly
• Security assessments: Review policies, access controls, and processes regularly
• Patch management: Continuous patching, not reactive
• Monitoring: Continuous monitoring for signs of compromise