Pentest Report Example: A Complete Sample Report With Findings You Can Copy
You finished the pentest. You popped shells, dumped creds, and pivoted across the network. Now comes the part nobody warns you about - writing the report.
If you have never written a pentest report before, staring at a blank document is brutal. Even experienced pentesters waste hours formatting instead of documenting. What you need is a concrete example you can follow.
This post walks through a complete pentest report example from cover to conclusion. Every section includes sample text you can adapt for your own engagements. We are using a fictional company called Apex Financial Services so you can see exactly how a professional report reads.
If you want downloadable templates instead, check out our free pentest report templates in DOCX and PDF format.
The Structure of a Professional Pentest Report
Before we dive into the example, here is the structure we will follow. Most professional reports include these sections in this order:
- Cover Page
- Document Control
- Executive Summary
- Scope and Methodology
- Risk Assessment Summary
- Detailed Findings
- Remediation Roadmap
- Appendices
This structure works for web application assessments, internal network tests, external assessments, and most other engagement types. If you are writing a web app report specifically, our web application pentest report guide covers the nuances.
Cover Page Example
The cover page is your first impression. Keep it clean and professional.
Content to include:
- Report title (e.g., "Penetration Testing Report")
- Client name (Apex Financial Services)
- Engagement type (External Penetration Test)
- Testing dates (February 10 - February 21, 2026)
- Report date (February 25, 2026)
- Classification level (Confidential)
- Your company name and logo
- Version number (v1.0)
Do not overcomplicate this. A single page with the information above is all you need. No decorative graphics, no filler text.
Document Control Example
This section tracks report versions and distribution. It is short but important for audit trails.
Version History:
| Version | Date | Author | Changes |
|---|---|---|---|
| 0.1 | Feb 21, 2026 | J. Torres | Initial draft |
| 0.9 | Feb 23, 2026 | J. Torres | Peer review edits |
| 1.0 | Feb 25, 2026 | J. Torres | Final release |
Distribution List:
| Name | Role | Organization |
|---|---|---|
| Sarah Chen | CISO | Apex Financial Services |
| David Park | VP Engineering | Apex Financial Services |
| InfoSec Team | Distribution Group | Apex Financial Services |
Classification: This document is classified as Confidential. Distribution is limited to the individuals listed above. Do not share this report outside the organization without written approval from Apex Financial Services.
Executive Summary Example
The executive summary is the most-read section of your entire report. Many stakeholders will read nothing else, so it needs to stand on its own. Write it for a non-technical audience.
Apex Financial Services engaged [Your Company] to conduct an external penetration test of its public-facing web applications and network infrastructure. Testing was performed from February 10 to February 21, 2026, using a gray-box approach with limited credentials provided.
The assessment identified 14 vulnerabilities across the tested environment. Two findings are rated Critical, three are rated High, five are Medium, and four are Low severity.
The most significant finding is an SQL injection vulnerability in the customer portal login form that allows an unauthenticated attacker to extract the entire customer database, including names, email addresses, and hashed passwords. This vulnerability poses an immediate risk to customer data and regulatory compliance under GDPR and PCI DSS requirements.
The second critical finding involves a misconfigured API endpoint that exposes internal administrative functions without authentication. An attacker could use this endpoint to create privileged accounts and gain full control of the application backend.
Overall, the external attack surface of Apex Financial Services contains significant weaknesses that require immediate attention. We recommend prioritizing remediation of the two critical findings within 7 days, followed by high-severity issues within 30 days.
A full remediation roadmap with effort estimates is provided in Section 7 of this report.
Notice what this example does well. It states the engagement scope upfront, gives a severity breakdown, highlights the most dangerous findings in business terms, and ends with a clear recommendation. It avoids technical jargon.
For more tips on this section, see our complete pentest report writing guide.
Scope and Methodology Example
This section documents exactly what was tested, how it was tested, and what was excluded. It protects both you and the client.
Scope:
The following assets were included in this assessment:
- portal.apexfinancial.com (Customer Portal - Web Application)
- api.apexfinancial.com (REST API)
- External IP range: 203.0.113.0/28
The following items were explicitly excluded from testing:
- Third-party payment processor integration (Stripe)
- Denial of service testing
- Social engineering and phishing
- Physical security assessment
Testing Approach: Gray Box. The client provided a standard user account for the customer portal. No source code access was provided.
Methodology: Testing followed the OWASP Testing Guide v4.2 for web application assessment and the PTES (Penetration Testing Execution Standard) for infrastructure testing. Vulnerability severity is rated using CVSS 3.1.
Tools Used: Burp Suite Professional, Nmap, Nuclei, SQLMap, Gobuster, Postman, custom scripts.
Testing Window: February 10 - February 21, 2026, during business hours (9 AM - 6 PM EST). After-hours testing was pre-approved for network scanning only.
Risk Assessment Summary Example
Give stakeholders a quick visual overview before the detailed findings. A summary table and severity breakdown work well here.
Findings by Severity:
| Severity | Count |
|---|---|
| Critical (9.0 - 10.0) | 2 |
| High (7.0 - 8.9) | 3 |
| Medium (4.0 - 6.9) | 5 |
| Low (0.1 - 3.9) | 4 |
| Total | 14 |
Findings by Category:
| Category | Count |
|---|---|
| Injection | 3 |
| Broken Access Control | 4 |
| Security Misconfiguration | 3 |
| Cryptographic Failures | 2 |
| Identification and Authentication | 2 |
Map your findings to OWASP Top 10 categories when possible. It helps clients understand patterns and compliance teams map issues to frameworks.
Detailed Finding Examples
This is the core of your report. Each finding should be a self-contained block that anyone can read independently. Below are two example findings - one critical and one medium.
Finding 1: SQL Injection in Customer Portal Login
| Severity | Critical |
| CVSS 3.1 Score | 9.8 |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-89 (SQL Injection) |
| OWASP Category | A03:2021 - Injection |
| Affected Asset | portal.apexfinancial.com/api/auth/login |
| Status | Open |
Description:
The login endpoint of the customer portal is vulnerable to SQL injection via the username parameter. The application concatenates user input directly into a SQL query without parameterization or input validation. This allows an unauthenticated attacker to execute arbitrary SQL commands against the backend database.
Evidence:
The following request was sent to the login endpoint:
POST /api/auth/login HTTP/1.1
Host: portal.apexfinancial.com
Content-Type: application/json
{
"username": "admin' OR '1'='1' --",
"password": "anything"
}The server responded with HTTP 200 and returned a valid session token for the admin account. No valid password was required.
Further testing with SQLMap confirmed the ability to extract full database contents:
sqlmap -u "https://portal.apexfinancial.com/api/auth/login" \
--data='{"username":"*","password":"test"}' \
--dbs --level=3Output confirmed access to three databases: apex_prod, apex_staging, and mysql. The apex_prod.users table contains 47,000 records including email addresses, hashed passwords, and account balances.
Impact:
An unauthenticated attacker can extract the entire customer database including personal information and financial data. This could result in:
- Full customer data breach affecting 47,000 users
- Regulatory violations under GDPR and PCI DSS
- Financial fraud through exposed account details
- Reputational damage and potential legal liability
- Complete application compromise through admin account takeover
Remediation:
1. Use parameterized queries (prepared statements) for all database interactions:
// Vulnerable
const query = `SELECT * FROM users WHERE username = '${username}'`;
// Fixed
const query = 'SELECT * FROM users WHERE username = $1';
const result = await pool.query(query, [username]);2. Implement input validation on the username field to reject special characters that are not expected in usernames.
3. Apply the principle of least privilege to the database account used by the application.
4. Deploy a web application firewall (WAF) as an additional layer of defense against injection attacks.
Finding 2: Missing Security Headers
| Severity | Medium |
| CVSS 3.1 Score | 5.4 |
| CVSS Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
| CWE | CWE-693 (Protection Mechanism Failure) |
| OWASP Category | A05:2021 - Security Misconfiguration |
| Affected Asset | portal.apexfinancial.com |
| Status | Open |
Description:
The customer portal does not return several recommended HTTP security headers. This makes the application more susceptible to client-side attacks such as clickjacking and MIME type sniffing.
Evidence:
The following security headers are missing from server responses:
| Header | Status | Risk |
|---|---|---|
| Content-Security-Policy | Missing | XSS mitigation |
| X-Frame-Options | Missing | Clickjacking |
| X-Content-Type-Options | Missing | MIME sniffing |
| Referrer-Policy | Missing | Information leakage |
| Permissions-Policy | Missing | Feature control |
| Strict-Transport-Security | Present | N/A |
Response headers observed:
HTTP/1.1 200 OK Server: nginx/1.24.0 Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000
Impact:
Without these headers, the application relies entirely on its own code to prevent client-side attacks. If a cross-site scripting vulnerability is discovered in the future, the lack of Content-Security-Policy means there is no secondary defense to limit its impact. The missing X-Frame-Options header allows the application to be embedded in an iframe on a malicious site, enabling clickjacking attacks.
Remediation:
Add the following headers to all responses from the web server. For Nginx, add these lines to the server block:
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always; add_header X-Frame-Options "DENY" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
Adjust the Content-Security-Policy directive to match the specific requirements of your application. Test thoroughly before deploying to production, as overly restrictive CSP rules can break legitimate functionality.
If you are not sure how the CVSS scores above were calculated, our CVSS scoring guide breaks down each metric.
Remediation Roadmap Example
Do not just dump findings and walk away. Give the client a prioritized action plan organized by urgency and effort.
| Priority | Finding | Severity | Effort | Deadline |
|---|---|---|---|---|
| 1 | SQL Injection in Login | Critical | 2-4 hours | 7 days |
| 2 | Unauthenticated Admin API | Critical | 4-8 hours | 7 days |
| 3 | Broken Access Control on Invoices | High | 4-8 hours | 14 days |
| 4 | Weak Password Policy | High | 1-2 hours | 14 days |
| 5 | Missing Rate Limiting | High | 2-4 hours | 30 days |
| 6-10 | Medium findings | Medium | Varies | 60 days |
| 11-14 | Low findings | Low | Varies | 90 days |
Quick Wins: Findings 4 (password policy) and 6 (security headers) can be remediated in under two hours with configuration changes only. We recommend addressing these immediately alongside the critical items.
Appendices Example
Include supporting information that is useful but would clutter the main report.
Appendix A - Tool Output. Full Nmap scan results, Burp Suite crawl maps, and automated scanner output. Reference these from individual findings where relevant.
Appendix B - CVSS Scoring Methodology. Brief explanation of CVSS 3.1 base metrics and how severity ratings map to scores. Link to our CVSS 3.1 scoring guide if the client wants more detail.
Appendix C - Testing Credentials. Document any accounts provided by the client. Confirm whether credentials were rotated or disabled after testing.
Appendix D - Glossary. Define technical terms used in the report. This is especially useful when the report is shared with non-technical stakeholders.
Common Mistakes in Pentest Reports
After reviewing hundreds of pentest reports, these are the mistakes we see most often:
Vague titles. "XSS Found" tells the reader nothing. Be specific about where and what impact.
Missing evidence. A finding without a screenshot or request/response pair is just an opinion. Always prove it.
No CVSS vector. Writing "High" without a CVSS score is subjective and clients will push back. Our CVSS scoring guide makes this easy.
Copy-paste remediation. Telling every client to "implement input validation" without context is lazy. Show them the exact fix for their tech stack.
No executive summary. Developers read findings. Executives read the summary. Skip it and your report loses half its audience.
No remediation roadmap. Findings without a prioritized plan leave clients overwhelmed. Tell them what to fix first.
Speed Up Your Report Writing
Writing a professional report like the example above can take 4 to 8 hours manually. That is time you could spend testing. PentestReportAI takes your raw findings, tool output, and screenshots, then generates a publication-ready report in minutes. You get CVSS 3.1 auto-scoring, five professional templates, and PDF/DOCX export. Every report follows the exact structure we covered in this guide.
Try it free - no credit card requiredDownload the Full Example
Want this entire example as a downloadable template? Grab our free pentest report templates in DOCX and PDF format. We have templates for general assessments, web applications, network pentests, mobile testing, internal assessments, and enterprise engagements.