Vulnerability Management: Retesting & Verification

A finding marked "fixed" in a ticket is not the same as a vulnerability proven gone — and that gap is where risk quietly survives. This is the remediation lifecycle done right: triage and SLAs, the four paths a finding can take, and the step most teams skip — retesting. We cover reproducing the original PoC, proving a fix holds against variants and bypasses (not just the exact payload), regression, disciplined risk acceptance, and the metrics that show risk actually going down.