Here's a scenario we see repeatedly: an enterprise commissions a penetration test, receives a report with 30 findings, passes it to their development team for remediation, and considers the job done. Six months later, an attacker exploits a vulnerability that was "fixed" — but the fix was incomplete, or the remediation introduced a new vulnerability elsewhere.
This is why Simuna Infosec operates on a strict dual-round audit model.
Round 1: The Initial Assessment
Our full 16-step methodology — from Application Familiarization through Report Submission. This produces the comprehensive audit report detailing every finding with CVSS scores, proof-of-concept evidence, and step-by-step remediation guidance.
The Remediation Gap
What happens between Round 1 and Round 2 is where most VAPT engagements fail. Development teams fix the reported vulnerabilities under time pressure. Common problems we see: partial fixes that address the specific proof-of-concept but not the underlying flaw; fixes that introduce new vulnerabilities (for example, adding input validation that creates a new injection point); fixes that break the application's security model elsewhere; and fixes that pass automated regression testing but fail manual exploitation.
Round 2: The Verification Audit
After the client's engineering team completes remediation, we execute the same rigorous process from Reconnaissance — a full 15-step verification. We skip only Application Familiarization (the architectural baseline is already established) and restart with fresh reconnaissance.
This isn't a quick re-check of the original findings. It's a comprehensive re-assessment that confirms fixes are robust, tests for regression vulnerabilities introduced during patching, and identifies any new attack paths created by the remediated code.
Why This Matters for Compliance
Regulatory frameworks increasingly require evidence of remediation verification. NIS2 Article 21, DORA's TLPT requirements, PCI-DSS Requirement 11.3, and APRA CPS 234 all expect organizations to demonstrate that identified vulnerabilities have been effectively remediated. Our dual-round model produces the documentation auditors need.
The Enterprise Impact
For enterprise buyers evaluating VAPT providers: ask whether verification is included. If a provider charges extra for re-testing, or skips it entirely, you're paying for a report — not for security.