There needs to be an option to manually trigger the security key reset.
The current scenario is as follows:
Remove hackers accounts and content.
Reset keys in Defender trying to remove hacker from sessions.
Find more hacked files allowing session creation without login and remove.
Unable to reset keys in Defender due to being too soon since the last reset keys.
Like the only time I think you'de want this is when you are disinfecting a live site where speed is of the essence but today it would have saved me the reinfection second round.
In regards to the site, won against the hackers
The cause was some residual files from a very very old version of WP that was lying around that allowed POST vars to set any session cookie without a password but sadly nothing picked up on it.
Lets bring this feature back!
All in favour say "I".