Report Writing

Penetration Test Report Writing

Communicating findings clearly — executive summary, technical findings, and actionable remediation

14 min readUpdated 2026-04-18
#reporting#pentest#cvss#findings#executive-summary#documentation
TL;DR
  • A pentest report is the only deliverable your client will keep — it's more important than the testing itself
  • Two audiences: executives (business risk, big picture) and technical teams (reproduce and fix the finding)
  • Every finding needs five things: description, impact, evidence, CVSS score, and remediation steps
  • Write in plain English — avoid jargon in executive sections; use precise technical language in findings
  • Proof of exploitation is what separates a finding from an allegation — screenshots, logs, and command output are mandatory

Prerequisites

  • Understanding of the vulnerability classes you'll document
  • Note-taking throughout the engagement — you cannot reconstruct quality evidence after the fact
  • Completed engagement — report writing starts during testing, not after

Report Structure Overview

A professional penetration test report has two distinct audiences within the same document.

Standard Pentest Report Sections

  1. 1
    Cover Page

    Client name, engagement dates, report date, classification (CONFIDENTIAL), version

  2. 2
    Table of Contents

    With page numbers. Long reports need quick navigation

  3. 3
    Executive Summary

    1-2 pages. Business risk language. No technical jargon. Senior leadership audience

  4. 4
    Scope and Methodology

    What was tested, what wasn't, testing approach, tools used

  5. 5
    Findings Summary

    Table with finding name, severity, CVSS score, status. Gives both audiences a quick overview

  6. 6
    Technical Findings

    One section per finding. Detailed, reproducible, with evidence

  7. 7
    Appendices

    Raw tool output, full scope lists, methodology references

The Executive Summary

The executive summary is the most-read section. Most executives will read only this.

Write for a non-technical audience. Assume they understand business risk, not SQL injection.

What to Include

ElementExample
Engagement purpose"To assess the security posture of the external perimeter and internal network"
Testing window"Testing was conducted from 14–21 April 2026"
Overall risk posture"The external perimeter contains critical vulnerabilities that could allow an unauthenticated attacker to gain full access to internal systems"
Top findings in plain English"An attacker could steal all customer data without needing to log in"
Positive findings"Internal network segmentation was well-implemented and limited lateral movement"
Recommended priority actionsTop 3 things to fix first

What NOT to Include

  • CVE numbers or CVSS scores
  • Tool names or technical exploit details
  • Raw command output
  • Jargon ("SQL injection", "Remote Code Execution") — translate to business impact instead
The Business Impact Translation

Instead of "The login form is vulnerable to SQL injection with stacked queries, allowing direct OS command execution," write: "An external attacker with no credentials can gain full control of the web server and access all customer data stored in the database."

CVSS Scoring

CVSS (Common Vulnerability Scoring System) v3.1 is the standard for vulnerability severity. Use it consistently.

Base Score Metrics

MetricOptions
Attack VectorNetwork / Adjacent / Local / Physical
Attack ComplexityLow / High
Privileges RequiredNone / Low / High
User InteractionNone / Required
ScopeUnchanged / Changed
Confidentiality ImpactNone / Low / High
Integrity ImpactNone / Low / High
Availability ImpactNone / Low / High

Severity Ranges

ScoreSeverityColour
9.0–10.0CriticalRed
7.0–8.9HighOrange
4.0–6.9MediumYellow
0.1–3.9LowBlue
0.0InformationalGrey
Example: Unauthenticated RCE via public API
AV:N / AC:L / PR:N / UI:N / S:C / C:H / I:H / A:H
Score: 10.0 (Critical)
CVSS Is Not Risk

CVSS measures technical severity, not business risk. An internal-only SQL injection that reaches only public data might score High technically but be Low business risk. Note the distinction between CVSS score and actual risk in your report.

Writing a Technical Finding

Each finding should follow a consistent structure. Inconsistency between findings looks unprofessional.

Finding Template

markdown
## [Finding Title]

**Severity**: Critical / High / Medium / Low / Informational
**CVSS Score**: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
**CWE**: CWE-89 (SQL Injection)
**Affected Asset(s)**: https://api.target.com/users/search

---

### Description

What the vulnerability is. 2-3 sentences, technically accurate.
Explain the root cause.

### Impact

What an attacker can do if they exploit this. Be concrete.
Quantify where possible: "access to 50,000 user records".

### Evidence

[Screenshot of the exploit working]
[Command used and output]

Request:
GET /api/search?q=' OR 1=1--

Response:
HTTP/1.1 200 OK
{"users": [{"id":1,"email":"admin@target.com"...}]}

### Remediation

Specific, actionable fix steps.

1. Use parameterised queries / prepared statements
2. Validate and sanitise all user input
3. Apply principle of least privilege to database account

### References

- https://owasp.org/www-community/attacks/SQL_Injection
- CWE-89: https://cwe.mitre.org/data/definitions/89.html

Taking Notes During Testing

Quality evidence requires systematic note-taking during the engagement — not after.

Evidence Collection Protocol

  1. 1
    Screenshot everything exploitable

    Including the URL/command used in the screenshot — don't crop it out

  2. 2
    Copy full request/response pairs

    Burp Suite > Right-click > Copy to file. Include all headers

  3. 3
    Log all commands

    Use script command: `script -a pentest.log`. Every command is timestamped

  4. 4
    Note timestamps

    When each finding was discovered — for the scope/methodology section

  5. 5
    Record tooling versions

    nmap 7.94, Burp Suite Pro 2024.1.1 — for methodology section

  6. 6
    Note failed attempts too

    Documents due diligence and scope of testing

Finding Severity: Common Mistakes

Don't Inflate Severity

Every finding being Critical or High makes the report noise. Clients lose trust when a "Critical" finding turns out to be a missing security header. Reserve Critical for: unauthenticated RCE, credential exposure, full database access, domain compromise.

FindingCorrect severity
Missing HSTS headerInformational
Clickjacking (no sensitive actions)Low
SSL/TLS using TLS 1.1Low
Reflected XSS with limited impactMedium
Stored XSS on high-traffic pageHigh
SQL injection (data exposure)High–Critical
Unauthenticated RCECritical
Domain Admin compromiseCritical
Missing rate limiting (low-value endpoint)Informational–Low
Missing rate limiting (login endpoint)Medium

Remediation Writing

Bad remediation advice destroys a finding's value. Your client needs to know exactly what to do.

Bad: "Fix the SQL injection vulnerability."

Good:

1. Replace string concatenation in the login function (auth.php, line 47) with
   PDO prepared statements.
2. Apply input validation: reject non-alphanumeric characters in the username field.
3. Configure the database user (app_user) to have SELECT/INSERT only on the
   users table — revoke EXECUTE and admin privileges.
4. Review all other database queries in the codebase for the same pattern using:
   grep -n "SELECT.*\$" *.php

Report Quality Checklist

Before Sending the Report

  1. 1
    Spell-check and grammar-check the entire document

    Errors undermine credibility

  2. 2
    Verify all screenshots are legible

    Text in screenshots must be readable at normal zoom

  3. 3
    Confirm all CVSS scores are calculated correctly

    Use the official calculator at first.org/cvss

  4. 4
    Check scope consistency

    Every finding must be within agreed scope

  5. 5
    Verify remediation steps are actionable

    Have a developer review your recommendations

  6. 6
    Remove internal notes and draft comments

    Search for TODO, FIXME, TBD, Draft

  7. 7
    Check page numbers and TOC match

    If TOC says Finding A is on page 12, it must be

  8. 8
    Mark document classification on every page

    CONFIDENTIAL or RESTRICTED in header/footer

  9. 9
    Confirm client name and dates are correct

    Wrong client name is an embarrassing error

  10. 10
    Deliver as PDF — not Word/DOCX

    PDF preserves formatting and can be signed

Operational Notes

  • Take notes live — the quality of your evidence correlates directly with how consistently you capture it during testing. There's no recovering a fuzzy screenshot or half-remembered command after the engagement.
  • One finding per issue — don't bundle five SQL injection instances into one finding to save time. List them separately or clearly note all affected endpoints. Clients need to track remediation per item.
  • Retest and update — if the client fixes findings and you retest, mark each finding Resolved / Partially Resolved / Open with a comment. Retested reports have a higher perceived value.
  • Sensitivity — your report contains instructions to compromise the client's systems. Handle delivery securely: encrypt the PDF (password-protected + key delivered separately), use a secure file transfer, confirm the recipient.
  • Client calls — always offer a debrief call to walk through findings. Many clients won't fully understand written findings until explained verbally.

What to Read Next

  • Reconnaissance — the engagement methodology section should document your recon approach
  • Exploitation — the evidence you document in findings comes directly from your exploitation steps
  • OWASP Testing Guide — the standard reference for web application findings and remediation
← PreviousEvasion & AV Bypass
← back to knowledge base