diff --git a/PROJECT.md b/PROJECT.md
index 78badf0..5720bcb 100644
--- a/PROJECT.md
+++ b/PROJECT.md
@@ -151,6 +151,6 @@ A self-hosted pastebin API that:
 │ Public certificate registration │ Complete
 │ CLI register command            │ Complete
 │ systemd deployment              │ Complete (security-hardened)
-│ Test suite                      │ 291 tests passing
+│ Test suite                      │ 301 tests passing
 └─────────────────────────────────┴────────────────────────────────────────────┘
 ```
diff --git a/ROADMAP.md b/ROADMAP.md
index 70243c0..0229b51 100644
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -29,7 +29,8 @@ FlaskPaste v1.5.0 is deployed with comprehensive security hardening and abuse pr
 - CLI with list, search, update, export commands
 - Public certificate registration (PoW-protected)
 - CLI register command for certificate enrollment
-- Comprehensive test suite (284 tests)
+- Comprehensive test suite (301 tests)
+- Complete security pentest remediation (15 items)
 - PKI audit logging (certificate lifecycle events)
 - Request duration metrics (Prometheus histogram)
 - Memory leak detection in CI pipeline
@@ -48,7 +49,7 @@ Focus: Production readiness and operational excellence.
 │ 4 │ Proxy trust validation          │ Done
 │ 5 │ Proof-of-work spam prevention   │ Done
 │ 6 │ Entropy enforcement             │ Done
-│ 7 │ Test coverage > 90%             │ Done (283 tests)
+│ 7 │ Test coverage > 90%             │ Done (301 tests)
 │ 8 │ Documentation complete          │ Done
 └───┴─────────────────────────────────┴────────────────────────────────────┘
 ```
@@ -188,6 +189,7 @@ These features will not be implemented:
 | 2024-12    | Memory leak CI job                 | tracemalloc-based leak detection in CI
 | 2024-12    | systemd service unit               | Security-hardened deployment example
 | 2024-12    | Rate limit headers                 | X-RateLimit-* on 201/429 responses
+| 2024-12    | Pentest remediation complete       | 15 security hardening items from formal review
 
 ## Review Schedule
 
diff --git a/SECURITY.md b/SECURITY.md
index 85ff1bb..9e68872 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -215,10 +215,8 @@ FLASKPASTE_POW_SECRET="$(openssl rand -hex 32)"
 
 ## Known Limitations
 
-1. **No rate limiting per IP** - Delegated to reverse proxy
-2. **No user accounts** - PKI handles identity
-3. **No audit log** - Standard request logging only
-4. **Single-node only** - SQLite limits horizontal scaling
+1. **No user accounts** - PKI handles identity
+2. **Single-node only** - SQLite limits horizontal scaling
 
 ## Reporting Vulnerabilities
 
@@ -260,6 +258,8 @@ Security fixes are released as soon as possible. Subscribe to repository release
 
 | Version | Security Changes |
 |---------|------------------|
+| 1.5.0   | Pentest remediation (15 items): timing attack prevention, serial collision detection, lookup rate limiting, content hash locking, anti-flood memory limits, CLI path validation, SSL hostname verification, config permission checks |
+| 1.4.0   | Anti-flood dynamic PoW, IP-based rate limiting, audit logging |
 | 1.2.0   | Password protection with PBKDF2, code modernization |
 | 1.1.0   | E2E encryption, entropy enforcement, burn-after-read |
 | 1.0.0   | Initial release with core security features |
diff --git a/TASKLIST.md b/TASKLIST.md
index 3eedafc..32a5d09 100644
--- a/TASKLIST.md
+++ b/TASKLIST.md
@@ -28,6 +28,12 @@ Prioritized, actionable tasks. Each task is small and completable in one session
 
 | Date       | Task
 |------------|--------------------------------------------------------------
+| 2024-12    | Complete pentest remediation (CRYPTO-001, TIMING-001)
+| 2024-12    | Complete pentest remediation (HASH-001, ENUM-001)
+| 2024-12    | Complete pentest remediation (FLOOD-001, CLI-002, CLI-003, AUDIT-001)
+| 2024-12    | Complete pentest remediation (RATE-001, RATE-002, CLI-001)
+| 2024-12    | Complete pentest remediation (PROXY-001, BURN-001)
+| 2024-12    | Create comprehensive penetration testing plan
 | 2024-12    | Add systemd service unit example
 | 2024-12    | Add rate limit headers (X-RateLimit-*)
 | 2024-12    | Integrate PKI audit logging (CERT_ISSUED, CERT_REVOKED, AUTH_FAILURE)
diff --git a/TODO.md b/TODO.md
index c72bbc2..10d40c4 100644
--- a/TODO.md
+++ b/TODO.md
@@ -17,6 +17,7 @@ Unstructured intake buffer for ideas, issues, and observations. Items here are r
 
 ## Observations
 
+- Comprehensive pentest plan completed (PENTEST_PLAN.md) - all remediations implemented
 - PKI uses AES-256-GCM for CA private key encryption (PBKDF2 key derivation)
 - SHA1 fingerprints are X.509 standard, not security-relevant (usedforsecurity=False)
 - Revoked certificates are soft-deleted (status tracked, not removed)