PDF · 93 PAGES1.5 MB
Sample pen test reportExecutive summary, findings (CVSS), exploit chains, validated PoC, methodology. Sanitized.
Open both.
The bundle that ships with every engagement↓ Read before you buy
Sample pen testand audit trailreports.
Two artifacts ship with every engagement: a structured pen test report and the full audit trail. The report carries the verdict. The audit trail carries the work. Below, the sample of each. Receipts before verdict, in that order.
4,089 ACTIONS693 KB
Audit trailEvery specialist action, in order. SOC 2 evidence-grade. Filter by specialist, step, finding ID.
Report structure
Five sections. Each cites a row.
The narrative report is what your stakeholders read; the full audit trail is what your SOC 2 auditor opens. The report claims, the audit trail proves. Cross-references run in both directions: every claim cites an action, every action links back to the finding it surfaced.
01
Executive summary
Plain-English narrative. Every claim cites a row.
02
Findings with CVSS
OWASP-category, repro steps, remediation guidance.
03
Multi-step exploit chains
Where damage happens. Composed automatically.
04
Validated proof-of-concept
Reproducible exploit on every Critical and High.
05
Audit trail pointer
Methodology lives in the actions, not in prose.
The differentiator
Receipts on every finding.
Every tool call. Every request. Every grep. Every submit. Every verify. Streams to the dashboard live and ships with the report. Your SOC 2 reviewer doesn't have to take our word for it. They open action 1,847 and read what we did.
audit trail · engagement 0a9b3 · actions 142–150
014214:11:08[recon]http_request GET /api/internal/health200
014314:11:09[recon]http_request GET /api/internal/users?role=admin200
014414:11:10[auth]submit_finding token-leak in /api/internal/usershigh
014514:11:32[broken-access]source_grep authorize\(.*role7 hits
014614:11:48[broken-access]http_request POST /api/role/upgrade403
014714:12:14[broken-access]http_request POST /api/role/upgrade -H X-Forwarded-User: admin200
014814:12:15[broken-access]submit_finding privilege bypass via X-Forwarded-Usercritical
014914:12:32[chain]submit_finding CHAIN-2 IDOR + role bypass = full takeovercritical
015014:13:08[reviewer]verify CHAIN-2 reproducible against live targetsealed
Continued through engagement completionSealed and signed
200Successful response or benign result
highVerified high-severity finding
criticalVerified critical finding or chain
Questions
What buyers ask. Receipts attached.
The questions every engineering and security lead asks before they fund an engagement. Read the answers here, before the kickoff call.
- 01What is in a sample pen test report?
Executive summary, individual findings with CVSS scores and remediation, multi-step exploit chains, validated proof-of-concept (PoC) for every Critical and High, and a pointer to the full audit trail. Markdown source, PDF render, and structured findings in the dashboard.
- 02What is in the audit trail?
Every specialist action, in order: timestamp, specialist, step, event type, tool, method, target, status, finding ID, detail. SOC 2 evidence-grade. Filterable by specialist, step, or finding ID. Each action traces back from any finding to the request that surfaced it.
- 03How is the report formatted?
Markdown source with a paired PDF render. Customers also see structured findings in the dashboard with severity filters, CVSS detail, and inline links to the audit trail actions that surfaced each finding.
- 04Can I download a sample?
Yes. The sample report PDF and the sample audit trail are linked above. Both are sanitized; target identifiers and PII are redacted.
- 05Will my deliverable look the same?
Yes. Every customer engagement produces the same shape: report, audit trail, validated PoC for every Critical and High, dashboard findings, free retest within 30 days. The sample is the format, not a one-off.
- 06Can I redact findings before sharing externally?
Yes. Customers control redaction. The sanitized version you share with auditors or press is generated from the dashboard with redaction tools.
- 07How long is the sample report?
The sample is 47 pages: executive summary, findings with CVSS and reproduction steps, exploit chains, validated PoCs, and methodology. The full audit trail ships separately because methodology lives in the actions, not in someone's head.