Retesting Findings
How to verify that vulnerabilities have been fixed by running targeted retests against specific findings.
What Is a Retest?
After you remediate a vulnerability, you want confirmation that the fix is effective. A retest runs a focused pentest that only targets the specific findings you select, rather than retesting the entire application.
How to Request a Retest
- Navigate to the pentest's Findings tab.
- Select one or more findings you have fixed by checking the boxes next to them.
- Click Retest Selected.
- Confirm the retest. APVISO will verify the fixes.
You can also retest a single finding by clicking the Retest button on the finding detail page.
Retest Statuses
Each retested finding receives one of the following statuses:
- in_progress — the retest is currently running.
- fixed — the vulnerability could not be reproduced. The original finding status is updated to
fixed. - not_fixed — the vulnerability is still present. The finding remains in its previous status and the retest includes updated evidence.
Retest Runtime
Retests are targeted and shorter than full pentests. In BYOK self-hosted mode, they use your runner capacity instead of runner capacity and model-provider usage.
Best Practices
- Fix all related findings before retesting to minimize the number of retest cycles.
- Make sure your fix is deployed to the same environment (URL) that was originally tested.
- If using authenticated pentesting, verify that the runner-local auth file still contains valid credentials.
- Review the retest evidence carefully — a finding marked
not_fixedincludes updated request/response pairs showing what the agent observed.
Retest History
Every retest is logged on the finding detail page. You can see the full history: when each retest was run, what the result was, and what evidence was captured. This history is valuable for demonstrating remediation progress during audits.