The report is the product of a pentest — findings are worthless if they can’t be understood and fixed. Write for two audiences, rate risk clearly, and drive remediation.
Why: a client pays for a report, not for "getting in" — clear, prioritized, reproducible findings are what let them reduce risk, so reporting is the most important skill, not the flashiest. When: document as you test (evidence, timestamps) so the report writes itself. Where: an unclear report wastes a good test; a clear one turns findings into fixes.
A good report has two audiences:
EXECUTIVE SUMMARY plain-language risk + business impact, for leadership
TECHNICAL FINDINGS reproducible detail + evidence, for engineers
Each finding:
title · severity (likelihood x impact) · affected asset · evidence ·
step-by-step reproduction · concrete remediation · references (CVE/OWASP)Why: findings must be prioritized by real risk — a critical vuln on an internet-facing system outranks a medium one on an isolated host — so a consistent rating (likelihood × impact, informed by CVSS but not blindly) tells the client what to fix first. When: rate every finding the same way. Where: over-rating erodes trust; under-rating hides real danger — calibration matters.
RISK = likelihood x impact (CVSS informs it; context decides it)
CRITICAL internet-facing RCE / full data exposure -> fix now
HIGH exploitable access to sensitive data -> fix this cycle
MEDIUM requires chaining or local access -> plan it
LOW/INFO hardening / defense-in-depth gaps -> backlog
Rank by what actually reduces the client's risk the most.Why: a test only improves security if findings get fixed and verified, so the engagement ends with clear remediation guidance and, ideally, a re-test to confirm closure. When: give actionable fixes (not just "patch it"), then re-scan/re-test the remediated items. Where: this mirrors the defensive vulnerability-management cycle — find, prioritize, fix, verify, repeat.
REMEDIATION cycle (offense and defense share this):
1. deliver actionable fixes per finding (config, patch, code change)
2. client remediates, assigns owners + due dates
3. RE-TEST the fixed items -> confirm closure
4. track residual risk for anything deferred
"We found 40 things" is noise. "You fixed the 5 that mattered" is value.