Requesting a Retest
After your development team has fixed a security finding, you can request a retest through the portal. A retest means the Catchify team will verify that the fix actually resolves the vulnerability -- giving you confidence that the issue is truly closed.
Why Retesting Matters
Fixing a vulnerability is only half the job. Without verification, you cannot be sure that:
The fix fully addresses the root cause (not just the symptom)
The fix did not accidentally introduce a new vulnerability
The finding can be officially marked as resolved
Retesting turns a "we think it is fixed" into a "we know it is fixed."
Retests are performed by the same Catchify researchers who identified the original finding, so they know exactly what to look for.
How to Request a Retest
Navigate to the finding you have fixed (through Projects or Findings in the main menu)
Open the finding detail page
Change the finding status to Fixed if you have not already
Click the Request Retest button
Add a brief note describing what was changed (optional but recommended -- this helps the Catchify team verify efficiently)
Click Submit
Including details about your fix -- such as what was changed and where -- helps the Catchify team complete the retest faster. For example: "Added input validation on the login form to prevent SQL injection" is much more helpful than "Fixed it."
What Happens After You Request a Retest
Once you submit a retest request, here is what to expect:
Request received
The Catchify team is notified and the finding status changes to Retest Requested
Immediate
Retest in progress
A security researcher verifies the fix using the original reproduction steps
1-3 business days
Result: Pass
The fix is confirmed. The finding status changes to Verified.
--
Result: Fail
The vulnerability is still present or partially fixed. The finding returns to Open with a comment explaining what was found.
--
If the Retest Fails
If the Catchify team finds that the vulnerability is still exploitable after your fix, they will:
Add a detailed comment to the finding explaining why the retest failed
Include updated reproduction steps if the behavior has changed
Set the finding back to Open
You can then review the feedback, apply a revised fix, and request another retest.
A failed retest does not mean your effort was wasted. Partial fixes often reduce the severity of the issue, and the detailed feedback helps your team get to the right solution faster.
Retest Tips
Fix one issue at a time -- Request retests for individual findings rather than batching many together. This makes it easier to track what passed and what did not.
Test internally first -- Before requesting a retest, have your own team verify the fix using the reproduction steps in the finding.
Include details -- The more information you provide about your fix, the faster the retest can be completed.
Keep access available -- Make sure the Catchify team still has the necessary access to retest. If credentials or VPN access have changed, update them before requesting the retest.
Retest Turnaround
Retests are typically completed within 1-3 business days of the request. If your engagement includes an SLA with specific retest turnaround times, those commitments apply.
If you need an expedited retest for a critical finding, contact your account manager and the Catchify team will prioritize it.
Last updated