Penetration Testing

Post-VAPT Remediation: What Singapore Businesses Should Do After a Penetration Test Report

A VAPT report landing in your inbox is not the finish line — it is the starting gun. Most Singapore organisations commission penetration tests and then struggle to translate findings into actual risk reduction. Here is how to do it right.

By Infinite Cybersecurity · 9 April 2026 · 9 min read · Penetration Testing · Remediation · Risk Management

The Remediation Gap Most Singapore Organisations Have

Every year, Singapore businesses spend significant budget on Vulnerability Assessment and Penetration Testing (VAPT). The CREST-accredited testers deliver their report. Leadership reviews the executive summary. And then — in too many cases — the findings sit in a folder while operations continue largely unchanged.

This pattern is more common than most IT managers would admit. The report identified 47 findings. Critical items are patched quickly. Medium and low findings get deprioritised. Six months later, the next VAPT cycle starts — and the same medium-severity findings reappear. The organisation has spent money to identify risk but has not systematically reduced it.

For Singapore businesses subject to MAS Technology Risk Management (TRM) guidelines, ISO 27001, or CSA certification requirements, this gap is not just a security problem. It is a compliance problem. MAS examiners, ISO 27001 auditors, and CSA assessors all expect evidence that VAPT findings are tracked, remediated, and closed — not just documented.

60% of repeat VAPT findings were identified in the prior cycle but not fully remediated
30 days MAS TRM maximum SLA for critical finding remediation in regulated firms
A.8.8 ISO 27001:2022 control requiring technical vulnerability management evidence
higher breach likelihood when medium-severity VAPT findings go unresolved beyond 90 days

Reading Your VAPT Report Correctly

Before remediating anything, your team needs to understand what the report is actually telling you — and what it is not. Penetration test reports vary significantly in quality and structure, but most contain findings rated by severity (Critical, High, Medium, Low, Informational) along with a description of the vulnerability, the attack path the tester used, evidence of exploitation, and recommended remediation steps.

Severity ratings are not the same as business risk

A finding rated Critical by the testing methodology may have limited impact in your specific environment — and a finding rated Medium may represent an existential risk depending on what data it exposes. Before building your remediation plan, map each finding against your business context:

  • What data or systems are exposed? A critical RCE vulnerability on a development server with no production data is very different from the same vulnerability on a server handling customer payment data.
  • Is the attack path realistic? Some findings require an attacker to already be inside your network. Understand which findings represent external threats versus insider threats versus post-breach escalation paths.
  • What is the regulatory significance? Under PDPA, MAS TRM, or ISO 27001, some vulnerabilities have mandatory remediation timelines regardless of your internal risk assessment.

Ask your tester the right questions

A quality VAPT provider should be willing to walk your team through the findings in a debrief session. Use this opportunity to understand which findings the tester considers most dangerous in practice, what chained attack paths exist (where two medium-severity findings combine into a critical exploit chain), and whether compensating controls you have in place mitigate any findings. If your tester is not willing to have this conversation, that is a sign you should reconsider your VAPT provider.

Building a Structured Remediation Plan

Once you understand the findings, translate them into a tracked remediation plan. This should not be a spreadsheet that lives on one person's laptop — it needs to be a governed document with ownership, deadlines, and status tracking that can be reviewed by management and presented to auditors.

Step 1 — Triage and prioritise

Sort findings into three buckets based on risk-adjusted priority:

  • Immediate (0–14 days): Critical and High findings with external exposure or direct path to sensitive data. These should be treated as active incidents until resolved.
  • Near-term (15–60 days): High and Medium findings, especially those in the MAS TRM critical-patch SLA window, or those representing chained attack paths identified in the pentest.
  • Planned (61–90 days): Medium and Low findings that require configuration changes, architectural work, or software updates that need change management planning.

Informational findings typically represent hardening opportunities rather than exploitable vulnerabilities. Schedule these as part of your ongoing security improvement programme rather than treating them as urgent items.

Step 2 — Assign ownership

Every finding needs a named owner — a specific person responsible for remediation, not a team or department. Without individual ownership, remediation items fall through the cracks when teams are busy. Assign findings to the system owner for infrastructure issues, the application team for code-level vulnerabilities, and the IT security function for configuration or policy gaps.

Step 3 — Handle exceptions properly

Some findings will be genuinely difficult or impossible to remediate within your preferred timeline. Production systems may not be patchable without downtime. Legacy applications may require vendor coordination. Third-party dependencies may not have patches available yet. For these findings, you need a formal risk acceptance or exception process:

  • Document the finding, the remediation barrier, and the compensating controls in place
  • Get sign-off from a named risk owner (typically a business owner or senior IT manager)
  • Set a review date — exceptions should not be permanent unless the risk is genuinely accepted at board level
  • Under MAS TRM, exceptions to the defined patch SLAs must be documented with management approval and reported to senior management

ISO 27001 note: ISO 27001 auditors will look for evidence that your risk treatment decisions are documented and approved. An undocumented finding that has not been remediated will be treated as a non-conformity. A documented exception with compensating controls and management sign-off is a recognised risk treatment approach that auditors will accept.

Verification: Closing the Loop

Remediation without verification is guesswork. The most common error Singapore IT teams make after receiving a VAPT report is marking a finding as "resolved" after applying a fix — without testing whether the fix actually works. Vulnerabilities are frequently re-introduced by configuration drift, failed patches, or partial fixes that address the symptom but not the root cause.

Retest critical and high findings

For Critical and High severity findings, always arrange a targeted retest with your VAPT provider once remediation is complete. This does not need to be a full engagement — a targeted retest of specific findings is typically a fraction of the original VAPT cost and provides confirmation that the vulnerability is genuinely closed. For MAS-regulated firms, evidence of retest results is exactly the kind of documentation examiners want to see.

Internal verification for lower-severity items

For Medium and Low findings, your internal team can often verify remediation through configuration review, authenticated vulnerability scanning, or functional testing. Document what you checked and what evidence you reviewed. "We applied the patch" is not verification. "We applied the patch on 15 March, confirmed the service version via authenticated scan on 16 March, and attached the scan output as evidence" is verification.

Track re-emergence

Configure your vulnerability management tooling to alert if previously closed findings reappear. Configuration drift, system rebuilds, and software updates frequently re-introduce vulnerabilities. A finding that was genuinely closed in March should not silently return in June without someone noticing.

Reporting Progress to Management

Effective remediation requires management visibility. Boards and senior leadership in Singapore increasingly expect to receive regular updates on cybersecurity posture — and VAPT remediation progress is one of the clearest ways to demonstrate that security investment is translating into actual risk reduction.

Build a simple dashboard or report that tracks:

  • Finding closure rate: What percentage of findings from the most recent VAPT are closed, in-progress, or accepted as exceptions? Trend this over time.
  • SLA compliance: For Critical and High findings, are you meeting your defined remediation SLAs? Report the rate and any breaches with explanations.
  • Repeat finding rate: What percentage of findings in the current cycle were also present in the previous cycle? A rising repeat rate is a systemic problem indicator.
  • Exception count and age: How many accepted exceptions are outstanding? Are any approaching their review dates?

This is the kind of metric reporting that MAS examiners will ask for during technology risk reviews. Having it ready demonstrates maturity. Not having it raises questions about whether your organisation is genuinely managing the risk identified by its own VAPT programme.

Making Remediation a Standing Capability

The most security-mature Singapore organisations treat VAPT remediation not as a one-off project after each test, but as an ongoing operational capability. This means integrating VAPT findings into your existing vulnerability management programme, aligning remediation SLAs with your patch management policy, and treating VAPT findings as one input source alongside continuous vulnerability scanning.

It also means thinking about root causes, not just symptoms. If the same category of finding appears across multiple VAPT cycles — injection vulnerabilities in web applications, weak authentication on internal services, misconfigured network segmentation — those are indicators of systemic gaps in development practices, architecture, or operational process. Fix the root cause once, rather than remediating individual instances repeatedly.

CSA Cyber Trust Mark: Organisations pursuing the Cyber Trust Mark are assessed on their security operations maturity, which includes evidence of structured vulnerability remediation. Assessors will look for documented processes, tracked remediation records, and evidence of verification — not just VAPT reports sitting in a folder.

How Infinite Cybersecurity Helps Singapore Businesses

Commissioning a VAPT is straightforward. Building the operational capability to remediate findings systematically — while meeting MAS TRM deadlines, satisfying ISO 27001 auditors, and actually reducing risk — is where most organisations need support.

Infinite Cybersecurity provides end-to-end VAPT and remediation support for Singapore businesses:

  • CREST-certified VAPT: Network, web application, API, and mobile application penetration testing conducted by certified testers, with clear, actionable reports structured for both technical teams and management.
  • Remediation advisory: Post-VAPT workshops to walk your team through findings, prioritise by business risk, and build a remediation plan aligned to your regulatory obligations and internal SLAs.
  • Retest and verification: Targeted retesting of remediated findings to provide documented confirmation that vulnerabilities are genuinely closed — with evidence suitable for MAS examiners and ISO 27001 auditors.
  • Remediation tracking support: Where teams lack the bandwidth or tooling, we help build and operate the tracking framework that keeps remediation moving and provides management-ready reporting.
  • Compliance alignment: Mapping your VAPT findings and remediation evidence to MAS TRM, ISO 27001, CSA Cyber Trust Mark, and Cyber Essentials Mark requirements so your security work feeds directly into your compliance posture.

Turn your VAPT report into real risk reduction

Our CREST-certified team helps Singapore businesses remediate penetration test findings systematically — with the tracking, verification, and compliance documentation that auditors and regulators expect. Whether you need post-VAPT advisory or a full managed remediation programme, we can help.

Contact our Singapore cybersecurity experts VAPT Services