Writing a retest report

Quick Links

Home > Services > Reporting > Writing a retest report
Edit on GitLab
  David Chadwick   26 Mar 2026

Overview

A retest folder will be located in the project root folder, with the data and report folders.

The folder is preloaded with all of the files you will need.

Having the retest folder separate allows the original report files to remain unmodified.

Update the config file

Update the config file as normal.

Copy over the vulnerabilities

The first step is to copy over the vulnerability subfolders (internal, web application etc) into the the vulnerability folder located in the retest folder. This is the only thing that needs to be copied from the original report folder.

Automation

There is an automation script that will remove the manual steps of the below sections, so you can skip them if using the script.

  • Adding updates to the retest vulnerabilities
  • Adding additional notes to vulnerabilities

The script will add the updates section to the top of the write up, as well as remove the old sections and add the new Retesting Notes section.

The script is located in the folder, called retesting_preperation.py.

To run it:

python retesting_preperation.py

Updating the report overview

Update the retest_overview.typ with the overview of the test.

Excluding tests from the report

If you would like to exclude a test from the retest report, a common one is internal penetration tests. Open up the retest.typ file and edit the below code, which will be near the top.

// Set excluded sections for Retest report
// Vulns won't appear BUT will consume numbering to ensure they match the original report
#let excluded_sections = ( 
    "internal",
    "wireless", 
    "mobile application"
    )

This will maintain the vulnerability numbers from the original report.

Adding updates section to the retest vulnerabilities (Skip if using Automation)

Each vulnerability in the report will need to have an update section added just below the title and risk rating. This section will update the risk rating table as well as add notes to the Retesting Results table in the overview section.

Copy the below into the finding:

///! updates = [
///!    { date = "2023-06-06", notes = "", status = "", force_display = false, impact = "", likelihood = ""},
///! ]

date: The date the updates were made

notes: The notes that appears in the Retesting Results table

status: The current status, either Open or Closed. Partially closed vulnerabilities are marked as Open, make sure to add notes on why. Closed vulnerabilities will not appear in the Detailed Vulnerabilities section.

force_display: When set to true, this will make a closed vulnerabilities appear in the Detailed Vulnerabilities section. Just in case you want to provide more clarification on why the vulnerabilities is considered closed. This variable is only required if it needs updating.

impact: Updates the vulnerability impact, in case the vulnerability has been reclassified. Always including information on why it was reclassified. This variable is only required if it needs updating.

likelihood: Updates the vulnerability likelihood, in case the vulnerability has been reclassified. Always including information on why it was reclassified. This variable is only required if it needs updating.

Updating the updates section to the retest vulnerabilities

Update all of the required variables in the update section for each vulnerability.

Here is an example of a completed section:

///! updates = [
///!    { date = "2023-06-06", notes = "The system was updated to the latest version.", status = "Closed", force_display = true, impact = "Moderate", likelihood = "Possible" },
///! ]

Adding additional notes section to vulnerabilities (Skip if using Automation)

The old sections below need to be removed from the vulnerability write up (the only thing you need to keep is the vulnerability title and risk rating at the top).

=== Risk assessment
=== Description
=== Recommendations

Add the new section below, and provide all the information and screenshots in here.

=== Retesting Notes

Adding retesting updates to vulnerabilities

Add updates to the updates and Retesting Notes section.

New vulnerabilities

If a newly identified vulnerability is found in the retest, it needs to be added to the report for the client to action. There is a folder called New in the vulnerabilities folder.

If there are no new vulnerabilities, delete this folder.

If there are new vulnerabilities, then add a vulnerability write up as normal, but with the retesting header added, like below:

///! updates = [
///!    { date = "2025-10-28", notes = "New", status = "Open"},
///! ]

Building the report

The retest report is built using the normal commands:

python3 generatemeta.py && typst watch retest.typ