CIS Controls 18.4: Validate Security Measures After Penetration Testing
Penetration testing reveals vulnerabilities, but validation ensures your defenses actually improve. CIS Control 18.4 requires you to validate security measures following each pentest and refine your detection capabilities based on discovered techniques. Without this critical step, you're missing the chance to close real gaps in your security posture.
What this means
After conducting penetration testing, you must systematically validate that your security controls are working as intended against the techniques attackers used during the test. This goes beyond just documenting findings—it means actively testing your detection rules, firewall rulesets, IDS/IPS signatures, and other security tools to confirm they can identify the attack methods your pentesters demonstrated. If your security tools fail to detect these techniques, you must modify and enhance them until they do.
How to comply
- 1.Schedule a validation review meeting within 2 weeks of pentest completion with security, IT, and relevant stakeholders
- 2.Map each pentest finding to your existing detection rules, alerts, and security controls
- 3.Test your detection capabilities against the specific techniques, malware, and attack paths documented in the pentest report
- 4.Identify gaps where your tools and rulesets failed to detect or prevent the demonstrated attacks
- 5.Update IDS/IPS signatures, firewall rules, EDR configurations, and SIEM detection logic to cover identified gaps
- 6.Conduct validation testing on updated controls to confirm they now detect the attack techniques
- 7.Document all changes, test results, and evidence of remediation in your compliance records
- 8.Schedule follow-up validation for the next 30-60 days to ensure updates remain effective
Evidence auditors look for
- Pentest report cross-referenced with dated security control modifications
- Updated firewall rulesets with change logs and implementation dates
- IDS/IPS signature updates reflecting pentest attack vectors
- SIEM rule changes or new detection logic with testing evidence
- EDR/antivirus definition updates deployed post-pentest
- Validation test results showing detection of pentest techniques
- Meeting minutes documenting control validation decisions
- Remediation tracking spreadsheet linking findings to control updates
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch's control tracking module automatically captures your pentest findings and flags validation deadlines, then maintains an auditable record of all control modifications and validation tests—eliminating manual follow-up and ensuring no post-pentest remediation gaps slip through.
See how GRCWatch handles this control automatically
Start free trial