Overview
A large global retail organization shared a previously completed penetration test report as part of an initial engagement.
Rather than conducting a new baseline test, the report was used as a starting point for continuous assessment.
This case highlights how quickly risk can evolve, particularly in fast-moving retail environments where applications are constantly exposed and targeted.
The Challenge:
Within the original penetration test report:
- Outdated JavaScript library
- Two associated vulnerabilities (CVEs)
- Highest severity rating: CVSS 6.5 (Medium)
At the time, this was not considered a critical issue.
The Approach
As part of a Targeted Continuous Testing programme, Rootshell:
- Reassessed previously identified vulnerabilities
- Monitored for newly disclosed CVEs
- Evaluated changes in exploitability
What We Discovered
During reassessment:
- Two new CVEs had been disclosed
- One original vulnerability escalated to CVSS 9.8 (Critical)
- The overall risk profile increased significantly
Key Insight
The application itself had not changed.
The risk around it had and that change would have gone unnoticed without continuous reassessment.
This is exactly the gap Rootshell’s approach is designed to close.
Traditional penetration testing provides a snapshot.
Rootshell combines Continuous Testing with Velma (Vulnerability Enhanced Learning Machine) to continuously reassess that snapshot over time.
Velma monitors:
- Newly disclosed CVEs
- Changes in vulnerability severity
- Real-world exploit activity
- How vulnerabilities are being used in active attack paths
At the same time, continuous testing ensures previously identified issues are not treated as “closed topics,” but are actively re-evaluated as the threat landscape evolves.
What This Means in Practice
In this case:
- A previously identified issue was reassessed, not ignored
- Velma identified newly disclosed vulnerabilities linked to the same component
- Changes in severity and exploitability were surfaced as they happened, not months later
The Outcome
By continuously reassessing risk, Rootshell enabled:
- Visibility into newly disclosed vulnerabilities
- Identification of increased severity
- More accurate prioritization
Want to see how your existing findings may have evolved?
Send us your latest penetration test report – we’ll show you what’s changed.
Rootshell’s platform gives me the visibility to easily understand issues, approve projects, and collaborate with colleagues, so that our remediation process is as streamlined as possible.
