You have just received your penetration test report. It is 40 pages long, colour-coded in various shades of amber and red, and the findings list reads like a small novel. Your first instinct might be panic. Your second might be denial.
Both are understandable, but neither will help.
Here is the reality that nobody in cybersecurity likes to say out loud: most businesses cannot fix every vulnerability, and certainly not all at once.
Budgets are finite, teams are stretched, and some fixes require changes that could disrupt day-to-day operations. According to Edgescan’s 2025 Vulnerability Statistics Report, larger enterprises left 45.4% of discovered vulnerabilities unresolved within a 12-month period.
Basically, you are not alone in this, regardless of your size.
But not being able to fix everything is not an excuse to fix nothing. The businesses that stay secure are the ones that learn to prioritise intelligently rather than chase every finding with equal urgency.
Start With What Would Hurt the Most
Not all vulnerabilities are created equal.
A misconfigured firewall rule is not the same as an employee sharing login credentials. Yet we see businesses treat their findings list like a to-do list, working through it top-down instead of asking, “Which of these could actually bring us down?”
This is where risk-based prioritisation comes in.
The Verizon 2025 Data Breach Investigations Report found that around 60% of breaches involved exploiting known vulnerabilities where a patch was already available.
The fixes existed. The problem was that nobody got around to deploying them in time.
So, when you receive your pentest report, ask yourself three questions about each finding:
- What is the worst-case scenario if this is exploited?
- How exposed is this vulnerability to external or internal attackers?
- How quickly and affordably can we fix it?
The findings that score highly across all three should be at the top of your list. Everything else can be scheduled, monitored, or mitigated through compensating controls. If you’re not sure how to prioritise, simply ask your pentest provider.
For example, here at Fortifi, our pentest reports do much of this prioritisation work for you. We also work in a very consultative manner from beginning to end, which allows us to make informed recommendations for your business, regardless of sector.
Related Reading: Did We Pass? What Businesses Get Wrong About Penetration Testing
The Vulnerability Nobody Puts in a Spreadsheet
Here is something that, unsurprisingly, keeps coming up in our engagements: people.
We have recently worked with businesses where employees openly shared credentials via internal messaging platforms. No malicious intent, just convenience. Someone needed access to a system, a colleague pinged over the username and password, and life carried on.
Until our pentesters found those credentials sitting in plain text within message histories. From there, we were able to fully infiltrate those businesses with minimal resistance.
This is not a theoretical risk.
The Verizon 2025 DBIR found that 22% of breaches began with credential abuse, and a staggering 88% of basic web application attacks involved stolen credentials. Credentials shared over insecure channels are, for all practical purposes, stolen credentials waiting to happen.
Fixing this does not require a six-figure security overhaul. It requires a clear policy, a password manager, and a conversation with your team about why convenience cannot come at the cost of security.
Related Reading: Social Engineering Attacks: Understanding the Psychology Behind It
Compensating Controls: Your Safety Net
When you genuinely cannot fix a vulnerability straight away, compensating controls buy you time. Think of them as the security equivalent of a temporary repair: not a permanent solution, but enough to keep things safe while you plan the proper fix.
Examples include:
- Network segmentation to isolate vulnerable systems from the rest of your environment
- Enhanced monitoring and alerting around high-risk assets
- Restricting access permissions so fewer people can reach the vulnerable system
- Implementing multi-factor authentication to reduce the impact of compromised credentials
The key is documentation.
If an auditor, regulator, or client asks why a known vulnerability still exists, you need to show that you are aware of it, you have assessed the risk, and you have taken reasonable steps to reduce it.
“We are working on it” is not a compensating control. A documented mitigation plan with timescales and interim protections is.
Related Reading: What is Defence-in-Depth?
Retesting: Proving You Have Actually Moved Forward
Fixing vulnerabilities without retesting is like revising for an exam and never sitting it. You might feel more prepared, but you have no proof.
Retesting after remediation confirms that your fixes actually work and that you have not introduced new issues in the process.
It also provides evidence of progress, something that matters enormously when you are reporting to leadership, satisfying compliance requirements, or demonstrating due diligence to clients.
Enterprises currently remediate only around 16% of vulnerabilities per month on average. At that pace, continuous improvement is the only realistic strategy, and retesting is what makes that improvement measurable.
Related Reading: The Importance of Retesting After Fixing Cybersecurity Vulnerabilities
Stop Chasing Perfection and Start Building Resilience
The goal of a penetration test was never to produce a report with zero findings. If that is your measure of success, you will always be disappointed.
The goal is to understand where your real risks are, address the ones that matter most, and build a security posture that improves with every test cycle.
Businesses that treat cybersecurity as a pass/fail exercise tend to test once, panic, patch a few things, and then avoid testing again for as long as possible.
Businesses that treat it as an ongoing process, testing regularly, prioritising ruthlessly, and retesting to verify, are the ones that actually become harder to attack over time.
Around 32% of identified vulnerabilities remain unpatched for more than 180 days, significantly increasing the window for exploitation. Regular testing and structured remediation planning are how you close that window, even if you cannot close every single one at once.
Related Reading: What is the Pentest Trap? How Routine Testing Creates False Security
What to Do Next
If your last pentest left you with a findings list that feels overwhelming, that is not a failure. It is a starting point.
Prioritise the critical risks, put compensating controls in place for what you cannot fix immediately, and schedule retesting to track your progress.
And if your team is sharing credentials over messaging platforms, stop that today. Seriously. It took our pentesters less effort than you would believe to turn that one habit into full network access.
At Fortifi, we do not just hand you a report and wish you luck.
We work with you to understand what needs fixing first, what can wait, and how to build a remediation plan that actually fits your business. Whether you need a pentest, a retest, or just an honest conversation about where you stand, get in touch.