Reporting & Professional Practice · beginner · ~11 min

The penetration test report: structure

Lay out a professional report and write for both executives and engineers.

Overview

The report is the deliverable. It serves two audiences: a one-page executive summary (business risk, plain language) and a technical body (reproducible findings). Standard sections: exec summary, scope, methodology, findings (by severity), remediation, appendices. Lead with impact, stay accurate and actionable.

Why it matters

Clients act on the report, not the test. Structuring it for both executives and engineers — impact-first, accurate, reproducible, actionable — is what turns findings into fixes and is among the most valued pentester skills.

Core concepts

Report = product. Two registers. Exec summary (business) vs technical body (engineers). Sections. Scope, methodology, findings-by-severity, remediation, appendices. Principles. Impact over tools, actionable fixes, honest/accurate, reproducible.

Lesson

The report is the product. A brilliant test that's reported badly delivers little; a clear report is what the client pays for and acts on.

Two audiences, two registers

  • Executive summary — for leadership: business risk in plain language, overall posture, the few things that matter most, and whether objectives were met. No jargon, no payloads. One page.
  • Technical body — for engineers: every finding with enough detail to understand, reproduce, and fix it.

Standard sections

  1. Executive summary (business-level).
  2. Scope — exactly what was tested (assets, dates), and what wasn't.
  3. Methodology — how you tested (approach, standards like OWASP WSTG/PTES), so results are credible and repeatable.
  4. Findings — the detailed list (next lessons), ordered by severity.
  5. Remediation roadmap — prioritized fixes.
  6. Appendices — tooling, raw evidence, out-of-scope notes.

Principles

  • Lead with impact, not tools: "an attacker could read all customer records" beats "ran sqlmap".
  • Actionable: every finding ends with a concrete fix.
  • Accurate & honest: report what you found, including "we couldn't test X" and negative results. Don't overstate.
  • Reproducible: someone else should be able to confirm each finding from your write-up.

The platform's build-markdown-report exercises give you the C side of assembling a report programmatically; this track is about what goes in it.

Summary

A professional report pairs a plain-language executive summary with a reproducible technical body, organized into scope, methodology, severity-ordered findings, and remediation. Leading with impact and staying accurate and actionable is what delivers value.