Pentest Report Components

Pentest reports provide a detailed overview of the vulnerabilities found during a penetration test. These reports typically include the following components:

  1. Vulnerability Description: A clear and concise explanation of the vulnerability, including how it was discovered and the potential impact it could have on the system or network.

  2. Vulnerability Impact: An assessment of the severity of the vulnerability, including the potential damage it could cause, the likelihood of exploitation, and the ease of remediation.

  3. Remarks and Remediation: Recommendations for how to fix the vulnerability, including best practices and specific steps that should be taken to address the issue.

  4. Proof of Concept: A demonstration of how the vulnerability can be exploited, including example code or screenshots that illustrate the issue.

  5. Affected URL: The specific URL or asset that is affected by the vulnerability.

  6. Priority: Indicating the severity of the vulnerability and the urgency of addressing the issue.

  7. Issue Type: Categorizing the type of vulnerability, such as a cross-site scripting (XSS) or a SQL injection.


The metadata panel on the right side of the report provides detailed information about the report, including the report title, vulnerability ID, vulnerability type, priority, vulnerable endpoint, report status, and any external references.

This panel is designed to give you a clear understanding of the vulnerability and its impact, as well as any relevant information that may be needed to remediate the issue.

  1. The report title and vulnerability ID are unique identifiers for the report, making it easy to track and manage the issue.

  2. The vulnerability type, priority, and vulnerable endpoint provide information about the nature of the vulnerability and its impact on your systems.

  3. The report status is used to track the progress of the issue, from initial discovery to resolution.

  4. The external references section includes any additional information that may be relevant to the vulnerability, such as links to external resources or guidance on how to remediate the issue.


The report timeline is a detailed log of all the activities that have taken place in the report between the pentester and the program team. It includes updates such as comments added by the pentester or the program team, changes in the report status (e.g. from "new" to "resolved" or "ignored"), and retest requests made by the program team. This feature allows for easy tracking of the progress and resolution of each vulnerability reported.

Additionally, it provides a clear record of all the actions taken and communication exchanged related to a specific vulnerability. This helps in keeping track of all the vulnerabilities and their status, making it easy to keep track of progress and resolve vulnerabilities in a timely manner.

Last updated