Skip to content
SP StackPractices
intermediate By Mathias Paulenko

Penetration Test Report Template

A template for penetration test reports covering scope, methodology, findings, severity ratings, evidence, and remediation recommendations.

Topics: testing

Note: This guide follows English-language naming conventions and terminology standards common in international development teams. Examples use English identifiers and comments to maximize compatibility across codebases and tooling.

Overview

A penetration test report documents the findings of a security assessment. It defines the scope, methodology, vulnerabilities discovered, severity ratings, evidence, and remediation recommendations. The report serves as both a technical reference for engineering teams and a compliance artifact for auditors.

When to Use

  • For alternatives, see Vulnerability Management Process Template.

  • Documenting results of a penetration test engagement

  • Providing evidence for compliance audits (PCI-DSS, SOC 2, ISO 27001)

  • Communicating security findings to engineering teams

  • Tracking remediation progress over time

  • Comparing security posture across test cycles

Solution

# Penetration Test Report — `<Organization Name>`

## Report Metadata

| Field | Value |
|-------|-------|
| Organization | Example Corp |
| Report Version | 1.0 |
| Test Date | 2026-06-15 to 2026-06-19 |
| Report Date | 2026-06-26 |
| Classification | Confidential |
| Prepared By | Security Team / External Tester |
| Approved By | CISO |
| Distribution | Engineering Leads, CISO, Auditors |

## 1. Executive Summary

### Assessment Overview

| Field | Value |
|-------|-------|
| Test type | Black-box external + Grey-box internal |
| Duration | 5 business days |
| Testers | 2 senior penetration testers |
| Scope | 3 web apps, 2 APIs, 1 mobile app, internal network |
| Findings | 14 total (2 critical, 4 high, 5 medium, 3 low) |
| Overall risk | High |
| Previous test | 2025-12-10 (12 findings, 8 remediated) |

### Risk Summary

| Severity | Count | Remediated | Open | Trend |
|----------|-------|------------|------|-------|
| Critical | 2 | 0 | 2 | +1 |
| High | 4 | 0 | 4 | +2 |
| Medium | 5 | 0 | 5 | -1 |
| Low | 3 | 0 | 3 | 0 |
| Informational | 0 | 0 | 0 | 0 |
| Total | 14 | 0 | 14 | +2 |

### Key Findings

| ID | Title | Severity | Status |
|----|-------|----------|--------|
| PT-001 | SQL injection in login endpoint | Critical | Open |
| PT-002 | Hardcoded credentials in API repository | Critical | Open |
| PT-003 | Broken access control in admin panel | High | Open |
| PT-004 | Insecure deserialization in payment API | High | Open |
| PT-005 | Missing rate limiting on authentication | High | Open |
| PT-006 | Outdated TLS configuration on load balancer | High | Open |

## 2. Scope and Methodology

### Scope

| Asset | Type | Environment | Testing Access |
|-------|------|-------------|----------------|
| app.example.com | Web application | Production | Black-box |
| api.example.com | REST API | Production | Black-box |
| admin.example.com | Web application | Production | Grey-box (test account) |
| mobile app | iOS/Android | Production | Binary provided |
| Internal network | Network | Corporate | Internal access |

### Out of Scope

| Item | Reason |
|------|--------|
| Third-party SaaS | Not owned by organization |
| Legacy systems (EOL) | Scheduled for decommission |
| Physical security | Separate assessment |
| Social engineering | Separate engagement |
| DoS/DDoS | Agreed exclusion |

### Testing Methodology

| Phase | Activities | Duration | Tools |
|-------|-----------|----------|-------|
| Reconnaissance | DNS, subdomain enumeration, port scanning | 0.5 day | Amass, Nmap, Subfinder |
| Enumeration | Service fingerprinting, content discovery | 1 day | Nmap, Gobuster, ffuf |
| Vulnerability assessment | Automated + manual testing | 1.5 days | Burp Suite, OWASP ZAP, nuclei |
| Exploitation | Proof-of-concept development | 1.5 days | Burp Suite, sqlmap, Metasploit |
| Post-exploitation | Lateral movement, privilege escalation | 0.5 day | LinPEAS, WinPEAS, Mimikatz |
| Reporting | Documentation and evidence collection | Ongoing | Custom scripts |

### Testing Standards

| Standard | Coverage |
|----------|----------|
| OWASP Testing Guide v4.2 | Web application tests |
| OWASP API Security Top 10 | API tests |
| PTES (Penetration Testing Execution Standard) | Overall methodology |
| NIST SP 800-115 | Technical guide to testing |
| MITRE ATT&CK | Post-exploitation mapping |

## 3. Findings

### Finding Template

Finding ID: PT-XXX Title: Severity: <Critical/High/Medium/Low/Informational> CVSS: CWE: OWASP: Status: <Open/Remediated/Accepted Risk> Affected asset: <URL, host, component> Affected versions: <version or “all”> Discovered by: Date discovered:


### PT-001: SQL Injection in Login Endpoint

| Field | Value |
|------|-------|
| Severity | Critical |
| CVSS | 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| CWE | CWE-89: SQL Injection |
| OWASP | A03:2021 — Injection |
| Status | Open |
| Affected asset | https://app.example.com/api/login |
| Discovered by | Tester A |
| Date | 2026-06-16 |

#### Description

The login endpoint at `/api/login` accepts a JSON payload with `username` and `password` fields. The `username` field is concatenated directly into a SQL query without parameterization. An attacker can inject SQL commands to bypass authentication, extract database contents, or execute administrative operations.

#### Proof of Concept

```http
POST /api/login HTTP/1.1
Host: app.example.com
Content-Type: application/json

{
  "username": "admin' OR '1'='1'--",
  "password": "anything"
}

Response:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "token": "eyJhbGciOiJIUzI1NiIs...",
  "user": "admin",
  "role": "administrator"
}

Impact

An unauthenticated attacker can:

  • Bypass authentication and log in as any user
  • Extract the entire database including PII, credentials, and session tokens
  • Modify or delete database records
  • Potentially achieve remote code execution via xp_cmdshell or similar

Reproduction Steps

  1. Navigate to https://app.example.com/login
  2. Enter admin' OR '1'='1'-- in the username field
  3. Enter any value in the password field
  4. Click “Login”
  5. Observe successful authentication as administrator

Remediation

StepActionPriority
1Replace string concatenation with parameterized queriesImmediate
2Use ORM or query builder with prepared statementsImmediate
3Implement input validation for all user inputsHigh
4Apply least privilege to database user accountHigh
5Deploy WAF rule as temporary mitigationImmediate
6Conduct code review for other SQL injection pointsHigh
# Vulnerable code
query = f"SELECT * FROM users WHERE username = '{username}' AND password = '{password}'"
cursor.execute(query)

# Remediated code
query = "SELECT * FROM users WHERE username = %s AND password = %s"
cursor.execute(query, (username, password))

References

ResourceURL
OWASP SQL Injectionhttps://owasp.org/www-community/attacks/SQL_Injection
CWE-89https://cwe.mitre.org/data/definitions/89.html
PortSwigger Guidehttps://portswigger.net/web-security/sql-injection

PT-002: Hardcoded Credentials in API Repository

FieldValue
SeverityCritical
CVSS9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
CWECWE-798: Use of Hard-coded Credentials
OWASPA07:2021 — Identification and Authentication Failures
StatusOpen
Affected assethttps://github.com/example/api (public repo)
Discovered byTester B
Date2026-06-16

Description

The API source code repository contains hardcoded AWS access keys and database credentials in the source files. The repository is public, allowing anyone to extract these credentials and access production infrastructure.

Evidence

File: src/config/database.js (line 12)
const DB_PASSWORD = "Sup3rS3cr3tP@ss!";

File: src/config/aws.js (line 8)
const AWS_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLE";
const AWS_SECRET_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY";

Impact

An attacker with access to the public repository can:

  • Connect to the production database with full credentials
  • Use AWS access keys to access S3 buckets, Lambda functions, and other cloud resources
  • Pivot to other services using the same credentials
  • Modify or delete production data

Remediation

StepActionPriority
1Rotate all exposed credentials immediatelyImmediate
2Move credentials to environment variables or secrets managerImmediate
3Scan git history for all leaked secrets and purgeImmediate
4Enable GitLeaks pre-commit hookHigh
5Audit AWS CloudTrail for unauthorized accessHigh
6Implement IAM role-based access instead of long-lived keysHigh

PT-003: Broken Access Control in Admin Panel

FieldValue
SeverityHigh
CVSS8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
CWECWE-284: Improper Access Control
OWASPA01:2021 — Broken Access Control
StatusOpen
Affected assethttps://admin.example.com/users
Discovered byTester A
Date2026-06-17

Description

The admin panel performs authorization checks only on the frontend. A regular user can access admin endpoints by directly calling the API with their session token. The server does not validate the user’s role before returning admin-only data.

Proof of Concept

GET /api/admin/users HTTP/1.1
Host: admin.example.com
Authorization: Bearer <regular_user_token>

Response:

HTTP/1.1 200 OK
Content-Type: application/json

[
  {"id": 1, "username": "admin", "email": "admin@example.com", "role": "admin"},
  {"id": 2, "username": "user1", "email": "user1@example.com", "role": "user"}
]

Remediation

StepActionPriority
1Implement server-side role checks on all admin endpointsImmediate
2Use middleware for authorization verificationHigh
3Deny by default — allow only explicitly permitted actionsHigh
4Add automated tests for access controlMedium

4. Severity Rating Methodology

CVSS v3.1 Scoring

CVSS ScoreSeverityColor
9.0 - 10.0CriticalRed
7.0 - 8.9HighOrange
4.0 - 6.9MediumYellow
0.1 - 3.9LowBlue
0.0InformationalGreen

Risk Matrix

Impact \ LikelihoodLowMediumHigh
HighMediumHighCritical
MediumLowMediumHigh
LowLowLowMedium

Likelihood Factors

FactorLowMediumHigh
Attack complexityAdvancedModerateLow
Authentication requiredAdminUserNone
Network accessLocalAdjacentNetwork
Public exploitNoTheoreticalAvailable

5. Remediation Summary

Remediation Priority

PrioritySeveritySLAOwner
P0Critical24 hoursEngineering Lead
P1High7 daysEngineering Lead
P2Medium30 daysTeam Lead
P3Low90 daysDeveloper

Remediation Tracker

IDTitleSeverityOwnerDue DateStatus
PT-001SQL injection in loginCriticalBackend Lead2026-06-17Open
PT-002Hardcoded credentialsCriticalDevOps Lead2026-06-17Open
PT-003Broken access controlHighBackend Lead2026-06-24Open
PT-004Insecure deserializationHighBackend Lead2026-06-24Open
PT-005Missing rate limitingHighDevOps Lead2026-06-24Open
PT-006Outdated TLS configHighDevOps Lead2026-06-24Open

6. Appendix

Tools Used

ToolVersionPurpose
Burp Suite Professional2026.5Web proxy, scanning, exploitation
OWASP ZAP2.15Automated web scanning
Nmap7.95Network scanning
sqlmap1.8SQL injection automation
Gobuster3.6Directory enumeration
Amass4.2Subdomain enumeration
nuclei3.3Template-based scanning
LinPEAS20240412Linux privilege escalation
GitLeaks8.21Secret scanning

Test Coverage

AssetTests RunTests PassedTests FailedCoverage
app.example.com142138497%
api.example.com9895397%
admin.example.com8783495%
mobile app5654296%
internal network7269396%
Total4554391696%

OWASP Top 10 Coverage

OWASP CategoryTestedFindings
A01: Broken Access Control2
A02: Cryptographic Failures1
A03: Injection1
A04: Insecure Design0
A05: Security Misconfiguration2
A06: Vulnerable Components1
A07: Auth Failures2
A08: Software/Data Integrity1
A09: Logging/Monitoring Failures1
A10: SSRF0

## Explanation

A penetration test report has three audiences: engineers who fix the vulnerabilities, executives who need risk visibility, and auditors who need compliance evidence. The report structure serves all three.

The executive summary provides a high-level view for non-technical stakeholders. It includes the total number of findings, severity distribution, trend compared to previous tests, and the top critical findings. Executives need to understand the risk level and whether it's improving.

The scope and methodology section defines what was tested and how. This is critical for auditors who need to verify that the test met compliance requirements. The scope explicitly lists what was in and out of scope. The methodology references industry standards (OWASP, PTES, NIST) to demonstrate rigor.

Each finding follows a consistent template: ID, title, severity, CVSS score, CWE mapping, description, proof of concept, impact, reproduction steps, and remediation. The CVSS score provides an objective severity rating. The CWE mapping connects the finding to a recognized vulnerability category. The proof of concept demonstrates that the vulnerability is real and exploitable, not theoretical.

Evidence is critical. Every finding includes the exact HTTP request, response, or command that demonstrates the vulnerability. This allows engineers to reproduce the issue and verify their fix. Without evidence, findings are dismissed as theoretical.

Remediation recommendations are specific and actionable. Instead of "fix the SQL injection," the recommendation says "replace string concatenation with parameterized queries" and provides code examples. Each remediation step has a priority level matching the severity SLA.

The remediation tracker assigns owners and due dates. This transforms the report from a document into an action plan. Without ownership and deadlines, findings remain open indefinitely.

## Variants

| Context | Approach | Notes |
|---------|----------|-------|
| External black-box | No internal access, full recon | Tests real-world attack surface |
| Internal grey-box | Test account provided, some knowledge | Tests deeper application logic |
| White-box | Source code provided | Code review + dynamic testing |
| API-only | Focus on REST/GraphQL endpoints | OWASP API Security Top 10 |
| Mobile | iOS/Android binary testing | OWASP MASVS |
| Network | Internal network penetration | PTES network methodology |
| Cloud | AWS/Azure/GCP penetration | Cloud-specific attack vectors |

## What Works

1. Include evidence for every finding — screenshots, HTTP requests, commands
2. Map findings to OWASP Top 10 and CWE — helps with compliance
3. Provide specific remediation with code examples — not just "fix it"
4. Assign owners and due dates — accountability drives remediation
5. Compare to previous test results — shows trends and progress
6. Include both automated and manual testing — automated finds low-hanging fruit, manual finds logic flaws
7. Rate severity with CVSS — objective, industry-standard scoring

## Common Mistakes

1. No evidence — findings are dismissed as theoretical
2. Vague remediation — "fix the vulnerability" without specifics
3. No owner assignment — nobody is responsible for fixing
4. Testing only automated tools — misses business logic flaws
5. No scope definition — leads to testing things that don't matter
6. No comparison to previous tests — can't measure improvement
7. Over-rating severity — loses credibility with engineering teams

## Frequently Asked Questions

### What is the difference between a penetration test and a vulnerability scan?

A vulnerability scan is automated and identifies known vulnerabilities by checking for signatures and version numbers. A penetration test is manual (or semi-automated) and attempts to exploit vulnerabilities to determine real-world impact. A scan might find that a library has a known CVE. A penetration test determines whether that CVE is actually exploitable in your specific configuration and what an attacker could do if exploited.

### How often should we conduct penetration tests?

At minimum annually. For high-risk industries (financial, healthcare), quarterly or bi-annually. After major changes (new features, architecture changes, infrastructure migrations), conduct a targeted test of the changed components. Compliance frameworks may dictate frequency: PCI-DSS requires annual testing, SOC 2 recommends it, HIPAA requires it for significant changes.

### Should we use internal testers or external consultants?

Both have value. External consultants bring fresh perspective and test what you don't know about. Internal testers understand the system deeply and can test business logic that external testers would miss. A common approach is external annual test + internal quarterly tests. If using external testers, rotate vendors every 2-3 years to get different perspectives.

### What should we do if we disagree with a finding's severity?

Discuss with the tester during the report review meeting. Provide context they may have missed (compensating controls, network segmentation, data classification). If the tester agrees, they update the severity. If not, document your rationale in the remediation tracker as a risk acceptance with management approval. Don't just ignore findings you disagree with — document the disagreement.

### How do we verify that remediation actually fixed the vulnerability?

Re-test the specific finding after remediation. The tester attempts the same exploit against the patched system. If the exploit no longer works, the finding is marked as remediated. Include re-test results in an addendum to the original report. Some engagements include re-testing as part of the original scope; others require a separate engagement.