A company planned for and secured the budget to hire a consultant to perform a web application penetration test. Upon discovering vulnerabilities, the company asked the consultant to perform the following tasks:
Code review
Updates to firewall settings
Which of the following has occurred in this situation?

A. Scope creep
B. Post-mortem review
C. Risk acceptance
D. Threat prevention