
Over 42,000 CRA Accounts Breached: What to Know
More than 42,000 Canadian taxpayer accounts have been breached since 2020. Learn more about the data breach class-action lawsuit involving CRA accounts.
May 20, 2026 - Blog

Most organizations engage penetration testing firms to provide an independent view of their security posture. The expectation is clear: identify real risks, validate exposure, and provide an objective assessment.
However, in many cases, the same vendors also offer remediation services.
This raises an important question: should the team identifying the problems also be responsible for fixing them?
For many buyers, this is not immediately recognized as a conflict-of-interest issue. It often only becomes clear when the dynamic is explicitly named.
Penetration testing is most valuable when it is independent. Its role is to provide an unbiased evaluation of security controls and real-world risk.
When remediation is tied to testing, that independence can become blurred.
The issue is intent, not structure: if a firm benefits from the volume or severity of findings, there is an inherent tension between:
Identifying risk accurately
Creating downstream remediation opportunities
Even when remediation is delivered through a “partner,” the relationship can introduce complexity. Incentives may not be fully aligned with the client’s best interests.
This is where things can become difficult to evaluate from the outside.
In the market, this often shows up in a few ways: testing engagements generate large volumes of findings that require significant effort to address. Organizations are then directed toward internal or partner remediation services.
In some cases, findings may lack prioritization or clear validation, increasing reliance on the same vendor to interpret and fix them.
In others, the separation between testing and remediation exists on paper, but not in practice. Commercial relationships and referral structures can still influence outcomes.
Effective prioritization requires understanding how vulnerabilities connect.
This includes:
Misconfigurations across systems
Application logic flaws
Lateral movement opportunities
Without this context, remediation efforts often focus on:
Severity scores (such as CVSS)
Individual vulnerabilities in isolation
This does not reflect how attackers operate.
When testing is independent, there is a stronger incentive to map end-to-end attack paths, rather than generate isolated issues that require further interpretation.
Most buyers evaluate penetration testing vendors based on:
Brand
Methodology
Cost
Or speed
Fewer evaluate how the vendor is structured commercially.
As a result, the conflict-of-interest dynamic is often overlooked.
This creates risk. Organizations may:
Over-invest in remediation that is not tied to real attacker pathways
Struggle to prioritize what actually matters
Rely on the same vendor for both problem identification and resolution
The outcome is not necessarily better security. It is often more activity without clear risk reduction.
A more principled model separates validation from remediation.
The role of a penetration testing firm should be to:
Identify and validate real-world risk
Focus on attacker-relevant pathways
Provide clarity on what matters most
Not to sell the fix.
This removes ambiguity and aligns incentives with the client’s outcomes.
At Packetlabs, this separation is intentional.
We do not bundle remediation services or route clients toward partner fixes. Our focus is on delivering validated findings and helping organizations understand where risk truly exists.
That independence allows security leaders to make decisions based on evidence, not vendor alignment.
This is ultimately a question of trust and alignment.
Security leaders are accountable for demonstrating that risk is understood, prioritized, and reduced.
That requires confidence that:
Findings are accurate and not inflated
Prioritization reflects real-world impact
Recommendations are not influenced by downstream services
When testing and remediation are tightly coupled, that confidence becomes harder to establish.
Independence is a practical requirement for credible assurance.
Not all vulnerabilities deserve equal attention. Effective remediation starts with focusing on attack paths, not isolated issues.
Critical and high-severity findings typically represent:
Direct paths to remote code execution or domain-level compromise
Weak authentication or authorization controls
Misconfigurations enabling privilege escalation or lateral movement
Exposure of sensitive systems or credentials
Lower-severity findings are often not dangerous in isolation but become meaningful when combined with higher-risk weaknesses. These issues should be addressed strategically, not ignored, as they frequently serve as supporting steps in multi-stage attacks.
Severity ratings are derived from:
Ease of exploitation
Required access level
Availability of public exploits or known adversary techniques
Business and operational impact if abused
By advising on the highest-risk findings first, Packetlabs helps organizations rapidly reduce their overall exposure without attempting to remediate everything simultaneously.
Evaluate whether your testing vendor also benefits from remediation work
Ask how findings are validated and prioritized
Understand any partner relationships tied to remediation
Ensure decisions are based on risk instead of vendor structure
Penetration testing is most effective when it operates without competing incentives.
The question is not whether remediation is necessary. It is whether the same entity should control both sides of the equation.