Remediation tracking
from open finding to verified close

Remediation tracking software for security teams and consultancies

Most security findings die in the gap between "reported" and "fixed". The pentest report lands as a PDF, the criticals get triaged in a meeting, and then the long tail of medium and low items quietly drifts. Three months later the next engagement finds the same issues, the client is unhappy, and nobody can show whether last quarter's remediation programme actually worked. The cause is almost always the same: there is no single record that follows a finding from open to verified close. SecPortal closes that gap with a remediation tracking workflow that handles owner assignment, SLA timers, client collaboration, retest pairing, and closure evidence in one place.

This page is the workflow view. For the retest deliverable as a tracked use case, read the pentest retesting workflow. For the deeper retest playbook, read the guide to retesting vulnerabilities. For the wider vulnerability programme model with CVSS, EPSS, and KEV, read the vulnerability prioritisation framework. For how the import side feeds remediation, see the vulnerability assessment use case. And for remediation that originates from external researchers rather than internal scans, see the VDP management workflow. For the analytical view of how findings age past SLA and turn into risk debt across PCI DSS, ISO 27001, SOC 2, and CISA KEV programmes, see the research on aging pentest findings. For the evidence record that backs every status transition, sign-off, and retest pair, see the pentest evidence management workflow. And for the upstream handover that lands findings in the client SOC, SIEM, ticketing system, and risk register before remediation begins, see the pentest finding handover to SOC and SIEM workflow.

What a remediation tracking workflow needs to do

The end-to-end remediation pipeline

Each finding moves through a defined sequence so the work cannot quietly stall in someone's inbox. The platform records who did what and when, which removes the manual logging that usually breaks down in week three of a remediation programme.

Sensible default SLAs by severity

SLAs are the lever that turns a finding list into a programme. Without target close dates, severity becomes a label rather than a deadline. A reasonable default ladder is below; tune the numbers to your risk tolerance and release cadence and document the choice on the engagement record. To produce defensible windows tied to PCI DSS, ISO 27001, SOC 2, or CISA KEV expectations, use the free vulnerability remediation SLA calculator. For the deeper workflow that runs the SLA policy on the engagement record (timer per finding, breach escalation by severity, clock pause and resume, audit-ready reporting), see the vulnerability SLA management workflow.

Reporting views remediation owners actually use

The reports that drive remediation are not the static PDF that lands at the end of an engagement. They are the live views that owners and stakeholders look at every week. The five below are the ones every meaningful remediation programme settles on.

For pentest firms and security consultancies

If you sell engagements, remediation tracking is part of the deliverable. Clients buying a pentest expect a clear picture of where they stand a month later, not an artefact that aged out the day after delivery. Most consultancies still rely on email and reissued PDFs to keep that picture current, and the friction shows up as renewal risk, retest pricing pressure, and the "we already fixed that" conversation that nobody wants. A finding-level remediation workflow inside a branded client portal replaces all of that with a live record both sides can rely on.

For internal security teams and vCISOs

Internal teams and vCISO programmes face the mirror image of the consultancy problem. The findings come from multiple sources (third-party pentests, scanner output, internal reviews), each source has its own format, and engineering wants tickets in their own tool. The fix is to keep the finding record as the canonical source of truth, link the engineering ticket to it, and track closure on the finding side. Auditors get the same export every cycle, executives see the same trend, and engineering keeps working in the tool they prefer.

For the second pain point above, a structured risk acceptance form template captures the residual rating, the compensating controls, the named approver, and the review date so each acceptance is auditable instead of buried in a Slack thread. Wrap the form in a vulnerability acceptance and exception management workflow so the lifecycle from request through approval, periodic review, and renewal or closure runs on the engagement record rather than against a folder of one-off forms. For the per-finding operating record that drives a single vulnerability from triage through verified close, use the free vulnerability remediation worksheet as the canonical worksheet for owner, SLA, fix evidence, retest pair, closure decision, and audit trail.

How remediation tracking connects to the rest of the platform

Remediation tracking is the spine of the engagement. It sits on top of findings management for CVSS scoring, templates, and scanner imports, inside engagement management for scope and team assignment, and it feeds AI reports with the closure data that turns a static report into a live programme view. For framework-aligned programmes, the same finding records map straight into ISO 27001, SOC 2, and NIST SP 800-53 evidence packs without re-keying.

Remediation tracking is one of those workflows that looks small from the outside and turns out to be the single biggest source of leverage in a security programme. Get it right and every finding has an owner, a deadline, and a paper trail. Get it wrong and every quarter starts with the same conversation about the same unfixed issues. The goal of this workflow is to make the right outcome the path of least resistance for both the security team and the people doing the fixes. For the slice of the lifecycle where the remediation route is a vendor patch coordinated with an IT or infrastructure team, the sister workflow on patch management coordination pairs the patch decision, maintenance window, pre-patch baseline, and post-patch rescan evidence to the original finding so the security-to-IT handoff stops being a parallel workstream and becomes a closure event on the engagement record. For the per-finding contract that ships each item to engineering with reproducible evidence, fix expectations, and named retest criteria before tracking begins, pair this workflow with the security finding evidence package for developers workflow so the closure cadence runs against a developer-ready record rather than against a one-line description and a screenshot. When the inbound finding stream is a third-party penetration test report PDF, the upstream intake workflow is the third-party penetration test report intake workflow, which extracts findings, recalibrates severity, dedupes against the existing scanner catalogue, and assigns named owners before remediation tracking takes over. For the platform capability that closes the loop (the FindingStatus lifecycle, separate resolved_at and verified_at timestamps, RBAC-gated transitions, and the activity log audit trail that proves the fix was verified), see the retesting workflows feature page.

Frequently asked questions about remediation tracking