Pentest finding dispute resolution
when the client pushes back, run a workflow rather than a chat thread

The client argues the issue does not exist, the reproduction does not work in their environment, or the scanner flagged a benign condition. The evaluation path is a reproduction attempt against the original evidence: the reviewer re-runs the request, walks the response, and either confirms the issue, captures additional evidence, or reclassifies the finding to informational with the rationale recorded on the finding.

The client agrees the issue exists but argues the severity is wrong. The evaluation path goes back to the CVSS 3.1 vector and the environmental metrics. Reviewers walk attack vector, attack complexity, privileges required, user interaction, scope, and impact metrics against the evidence. A revised severity carries the new vector on the finding so the change is reproducible rather than a number swap.

The client argues the asset, endpoint, or behaviour is out of scope, behind a system the firm was not authorised to test, or related to a third-party dependency rather than the buyer is system. The evaluation path goes back to the rules of engagement, the asset list, and the methodology section of the report. Out-of-scope findings get repositioned (informational, advisory) or removed with the rationale captured on the finding.

The client argues the risk has been formally accepted by an internal owner. The evaluation path requires a written acceptance with a named accountable owner, a documented business justification, and a reassessment trigger. An informal "we know about that" does not clear the bar; ISO 27001 Annex A 5.7 and SOC 2 trust services criteria expect documented risk treatment decisions or the finding sits as an unmanaged exposure.

The client argues the recommended fix is impractical, would break a dependency, or the cost outweighs the residual risk. The evaluation path goes back to the developer-readiness of the original guidance. Reviewers tighten the recommendation against the affected configuration, library, or code path, propose a compensating control where the original fix is genuinely impractical, and record the negotiated remediation on the finding rather than dropping the requirement.

The client argues the underlying asset has materially changed since the test was run, so the finding no longer applies. The evaluation path goes back to the engagement window and the asset version. Material change after the test window typically moves work toward a fresh engagement rather than a quiet finding withdrawal; the original finding stays as historical context with a clear lineage link to the new engagement.

Pushback lands in a Friday afternoon email, gets answered the following Tuesday, and is forgotten by the time the report ships. Six months later nobody can reconstruct why the severity was downgraded or why a finding was dropped. The audit trail starts at the published PDF rather than at the dispute that shaped it.

The client asks for the severity to be lowered, the firm complies to keep the relationship comfortable, and the CVSS vector on the finding stops matching the headline severity. The next reviewer reads the inconsistency as either a bug or a quiet downgrade, and either reading damages confidence in the report.

Every contested finding gets dropped on the false positive line because re-walking the evidence is expensive and the deadline is closer than the principle. The catalogue ends up reflecting what the client was comfortable with rather than what the test found, and the firm cannot defend the report against a third-party reviewer who reads the original evidence.

A finding gets marked accepted-risk on the back of a verbal "we know about that" with no signed acceptance, no named owner, and no expiry. The audit reads it as an unmanaged exposure. ISO 27001, SOC 2, and PCI DSS all expect the acceptance to be a written treatment decision with a reassessment trigger or it is not a treatment at all.

The client pushes back on the fix, the firm rewords the remediation guidance to something easier to deliver, and the original requirement is erased rather than negotiated. The next reviewer reads the softened version and never knows the original requirement was harder. Where a compensating control is the right answer, it should be on the record alongside the original.

Adjudication happens in a video call between the engagement lead and the client, the call ends with a verbal agreement, and the engagement record reflects nothing of the conversation. When the call participants leave the firm or the client team, the rationale leaves with them. The dispute outcome should land on the finding with a written rationale and a named approver, regardless of where the conversation happened.

The tester who logged the original finding. Owns the original evidence, severity rationale, and remediation guidance. Defends the original call against the dispute, attaches additional evidence the reviewer asks for, and either accepts the dispute outcome or escalates it to the engagement lead with a written rationale.

A senior tester who did not author the disputed finding. Re-walks the evidence, the CVSS vector, and the reproduction independently of the original tester. The independence is what makes the dispute outcome defensible to the client and to a third-party reviewer; without it, the dispute is just two people arguing about the same finding.

Owns the engagement and adjudicates when the test author and the peer reviewer disagree. Records the decision against the finding with the rationale, the affected severity or status, and the timestamp. Adjudication is not consensus; it is a recorded decision the audit trail can answer with later.

The named client contact who raised the dispute. Provides evidence, business context, accepted-risk documentation, or remediation feasibility input as the dispute type requires. Receives the resolution against the finding through the branded client portal so the outcome is visible on the same record both sides see.

Dispute resolution takes the output of pentest quality assurance and pentest report delivery once the report ships, and feeds the resolved state into remediation tracking, vulnerability acceptance and exception management for resolved accepted-risk outcomes, and retesting.

Dispute resolution is one phase inside pentest project management. The engagement lead schedules adjudication against the remediation timeline, names the reviewer, and tracks the dispute alongside scope, evidence, and findings on the same record.

Severity changes carry a new CVSS vector, accepted-risk decisions carry a named owner and an expiry, and withdrawn findings preserve the dispute history. When a third-party reviewer reads the report later, the answer to “why did this finding change” is on the finding itself.

Named reviewer, dispute type, written rationale, adjudication decision, and resolved outcome live on the engagement record. CREST, ISO 27001, SOC 2, and client procurement audit answers come from the record rather than from a reconstruction of who said what in a video call.

A contested finding is re-evaluated by an independent reviewer rather than renegotiated in a relationship call. The outcome reflects the evidence and the rules of engagement, not the negotiating power of either side. Both sides come out of the conversation with a record they can stand behind.

The dispute, the evaluation, the adjudication, and the resolution all live on the same record both sides see through the branded client portal. The chat thread fades; the engagement record persists. Six months later the question “what was the outcome” has one answer, not four.