Thanks for getting in touch!
Whoever carried out the pentest would likely be in the best position to advise on the course of action required to remedy the issues, or if they are fine as they are.
The main thing to check within Octopus is that the thumbprint used by the server for tentacle communications is encrypted with sha256RSA. You can check this by navigating to Configuration > Thumbprint and you should see “The server certificate uses the sha256RSA algorithm”. We originally used an older algorithm, so if you started with an older version and have upgraded without renewing this then it may need refreshing. There are a few steps to renewing it, so if it does need doing, let us know and we can walk through it.
Outside of Octopus, pentests will typically pick up whether the server OS has had older, less secure forms of TLS and ciphers disabled. These can be checked and disabled by using a program like IISCrypto. As this is related to the OS rather than Octopus we can’t provide any recommendations on what should and shouldn’t be enabled.