The Seven Things That Should Be in Every Pen Test Report

A pen test report is the only thing you walk away with. The testing is over, the testers are gone, and the report has to do three jobs at once. It has to convince leadership the work was worth the spend. It has to give your engineers what they need to fix the findings. And it has to satisfy any auditor or customer who asks to see it.


A lot of pen test reports do one of those jobs well, the second one badly, and the third one not at all.


This post lays out the seven things every quality pen test report should contain, what each one looks like when it is done right, and the warning signs that tell you a report is going to fall short. Use it as a checklist when you evaluate a vendor before you sign, or when you receive a report you are not sure about.

The Seven Essentials

A complete pen test report should include

An executive summary

A scope statement with explicit out-of-scope items

A documented methodology

Tester qualifications and engagement dates

Findings with severity, evidence, and reproducibility

Specific, prioritized remediation guidance

Retest results and verification

Each one serves a different reader and a different purpose. A report missing any of them is incomplete, even if the testing itself was solid.

1. Executive Summary

The executive summary is the part your CEO, board, or customer security team will actually read. One to two pages, business language, no raw vulnerability data.

A good executive summary includes

A plain-language description of what was tested and why

The overall risk posture (a sentence or two on whether the environment held up well or poorly)

The number of findings by severity

The most significant risks and their business impact

A high-level remediation status

Red Flag

The executive summary is one paragraph long, or it copies the methodology section verbatim, or it is so technical that a non-engineer cannot read it. The summary is supposed to translate the test for people who do not speak in CVEs.

2. Scope Statement (With Explicit Out-of-Scope)

The scope statement tells you exactly what was tested. It should list every asset, application, IP range, URL, API endpoint, and environment that the testers covered. It should also list what was deliberately excluded.

A good scope statement includes

Specific assets by name, IP, or URL (not "the production environment")

The type of testing performed on each (network, application, API, mobile, cloud, social engineering, segmentation)

The environment tested (production, staging, isolated test environment)

Out-of-scope items, with a one-line reason why

The out-of-scope list is the part most reports get wrong. Without it, anyone reading the report later cannot tell whether something was tested and found clean or never tested at all. That distinction matters when an auditor asks, when a customer asks, or when a breach happens in an area that was supposed to be in scope.

Red Flag

The scope is described in vague language like "the customer environment" or "production systems" without a list of assets. Or there is no out-of-scope statement at all.

3. Methodology

The methodology section explains how the testing was performed. It should reference an industry-standard framework and describe how that framework was applied to your engagement.

A good methodology section includes

A named industry standard (NIST SP 800-115, OWASP, PTES (Penetration Testing Execution Standard), or OSSTMM (Open Source Security Testing Methodology Manual))

The test type (black box, gray box, or white box) and what that meant for the engagement

The phases performed (reconnaissance, scanning, exploitation, post-exploitation, reporting)

The tools used, both automated and manual

Any limitations or constraints that affected coverage (testing windows, rate limits, production safeguards)

This section matters because it lets a future reader judge how thorough the test was. A test with three weeks of testing and a documented methodology is not the same as a test that was a week of automated scanning, and the methodology section is where that becomes clear.

Red Flag

A single sentence saying "industry-standard methodology" with no named framework. Or a methodology that lists tools but never describes how they were used.

4. Tester Qualifications and Engagement Dates

The report should name the people who did the testing, list their certifications, and document the engagement timeline.

A good tester section includes

Names of the testers who performed the work

Certifications such as Offensive Security Certified Professional (OSCP), GIAC Penetration Tester (GPEN), Offensive Security Experienced Penetration Tester (OSEP), or Certified Ethical Hacker (CEH)

Years of experience or relevant background

The engagement start and end dates for active testing

The reporting completion date

This serves two readers. Your security team needs to know that real, qualified humans tested the environment. Auditors and QSAs (Qualified Security Assessors) need to verify tester independence and credentials, and PCI-DSS Requirement 11.4.2b explicitly allows QSAs to interview the testers about how the work was performed.

Red Flag

The report names a company but no individuals. Or the testers are listed without credentials. Or the engagement dates are missing, which makes the report useless for SOC 2 Type II audit windows.

5. Findings With Severity, Evidence, and Reproducibility

This is the longest section in any pen test report and the one most often watered down. Each finding should be a complete record that someone outside the engagement can review, validate, and act on.

A good pentest finding includes

A descriptive title (not just "SQL Injection")

A severity rating using a standard system, typically the Common Vulnerability Scoring System (CVSS) v3.1 or v4.0

The affected asset, URL, or component

A description of the vulnerability and the underlying weakness

Proof of exploitation, with screenshots, request and response captures, or video

Reproducibility steps so an engineer can recreate the issue

The potential business impact if exploited

References to known CVEs or CWEs where applicable

Without proof of exploitation, a finding looks like a vulnerability scan result. The whole point of a pen test is that a human attempted the exploit and either succeeded or proved it was not possible. Evidence is what separates pen testing from scanning.

Red Flag

indings without screenshots or request and response evidence. Severity ratings without CVSS scores. No reproduction steps. A "findings" list that reads like a vulnerability scanner export.

6. Specific, Prioritized Remediation Guidance

A pen test report is not just a record of what is broken. It should also tell you, in concrete terms, how to fix it.

A good remediation section includes

Specific guidance for each finding, not generic advice

Prioritization based on severity, exploitability, and business impact

Multiple remediation options where they exist (immediate fix, longer-term fix, compensating controls)

References to vendor documentation, CVE patches, or framework guidance

Notes on dependencies (fixing finding A may resolve finding B, fixing C requires an architecture change)

The fastest way to spot a weak pen test vendor is to check this section. Vague guidance like "implement input validation" or "follow the principle of least privilege" tells you the testers wrote the report from a template instead of from your environment. Real remediation guidance tells you which file, which configuration, which IAM policy, or which framework setting needs to change.

Red Flag

Generic remediation advice that could apply to any company. Boilerplate language copied across multiple findings. No prioritization. No reference to your specific stack.

7. Retest Results and Verification

A finding is not closed until someone verifies the fix works. Retest results should be in the report or in an appendix added after remediation.

A good retest section includes

The original finding and its severity

The remediation action taken (with date)

The retest method

The retest result (resolved, partially resolved, or not resolved)

The retest date

The tester who performed the retest

PCI-DSS Requirement 11.4.4 explicitly requires retesting on remediated findings. SOC 2 auditors expect it for critical and high findings. And from a pure security perspective, retesting is the only way you know your fix actually worked rather than just appearing to.


If retesting is not part of the original engagement, the report should at least describe the retest process available and what it would cost. PTaaS engagements typically include retesting as part of the subscription, which is one of the core differences from one-off testing.

Red Flag

No retesting included, no retesting offered, or retesting only available as a separate paid engagement with no defined timeline.

How to Use This Checklist

Three ways to put this list to work

Before you sign with a vendor.

Ask for a sample report. Run it through this checklist. Any vendor that hesitates to share a redacted sample is telling you something. Any vendor whose sample report fails three or more of these seven items is going to deliver a similar product to you.

When you receive a report.

Grade it against the seven sections. If anything is missing, ask the vendor for the missing piece in writing before you sign off and pay the final invoice. The right time to fix a weak report is before the engagement closes.

When you brief leadership.

If you have to defend the spend on pen testing, walk through the seven sections of the report. The structure tells the story: this is what we tested, this is who tested it, this is what they found, this is how serious it is, this is what we are doing about it, and this is how we know the fix worked.

How APT Approaches Reporting

APT Security Management offers Penetration Testing as a Service (PTaaS) through a prepaid token model and a flat-rate package option. Reports are built around the seven sections above and include everything a SOC 2, PCI-DSS, HIPAA, or ISO 27001 auditor expects to see.


Specifically:

Executive summary written for non-technical leadership

Detailed scope statement with explicit out-of-scope items

Methodology aligned with NIST SP 800-115, OWASP, and PTES

Named, credentialed testers (OSCP, CISSP, and related)

CVSS-rated findings with screenshots, request and response evidence, and reproduction steps

Remediation guidance specific to your stack and prioritized by exploitability

Retesting included on remediated findings, with verification documented in the report

If you have a recent pen test report and you want a second opinion on whether it covers what it should, a 30-minute consultation will tell you. We will walk through your report against the same checklist above and flag the gaps an auditor or a sharp customer would catch.

Frequently Asked Questions

How long should a pen test report be?

There is no standard length. A small web application engagement might produce a 30-page report. An enterprise engagement covering networks, cloud, and applications can run 100 pages or more. Length matters less than completeness against the seven sections above.

Should I get the report in PDF or another format?

PDF is standard for the formal report. Many quality vendors also provide findings in a portal where you can track status, export to ticketing tools, and access reports for past engagements. Both have a place. PDFs are easier to share with auditors and customers. Portals are easier for day-to-day remediation work.

Can I share the pen test report with customers or auditors?

Yes, but read your engagement contract first. Most pen test contracts allow sharing with auditors, customers, and prospects under non-disclosure agreements (NDAs). Some require notification or have restrictions on redistribution. For customer security questionnaires, many companies share an executive summary or a letter from the testing firm rather than the full report.

What is the difference between an executive summary and the full findings?

The executive summary is a one to two page, business-language overview written for leadership. The full findings section is the detailed technical record written for engineers. Both are required. The summary alone does not satisfy auditors. The technical findings alone do not satisfy executives.

What should I do if the report I received is missing key elements?

Ask the vendor in writing for the missing pieces before you close out the engagement. Most reputable vendors will add what is missing. If they refuse, document the gap and weigh it against the next engagement. A vendor that does not produce complete reports is a vendor whose work is harder to defend in front of auditors, leadership, and customers.

Get a second opinion on your pen test report

Book a free 30-minute consultation. We will walk through your most recent report against the seven-section checklist and flag the gaps an auditor or customer would catch. 

Book a Free Consultation