Skip to content
PENTEST // SAMPLE REPORT

THE REPORT, PAGE BY PAGE

This is the anatomy of the report a fixed-price penetration test produces: every section, in order, with nothing airbrushed.

There is no fake download button on this page. The real sample is an anonymized report from a live engagement, and we share it under NDA on request. Below is exactly what it contains, so you can evaluate it, or any other vendor's report, before you spend anything.

2
Documents: report + letter
5-7 days
From kickoff to delivery
1 page
Per finding, with evidence
FREE
Re-test, in the final report
DELIVERABLE

What arrives in your inbox

One engagement produces two documents, the executive PDF report and a signed attestation letter, delivered 5 to 7 days after kickoff, inside the fixed $2,499 price. Alongside them: developer-format findings, a 30-minute walkthrough call, and a free re-test after you fix. Nothing on this list is an upsell. Expedited 72-hour delivery exists for teams against an audit date ($1,000; most teams do not need it).

Executive PDF report

The full working document: scope, executive summary, severity breakdown, one page per finding, provenance appendix, re-test addendum. Written so page two works for a CFO and page twelve works for a developer.

Signed attestation letter

A short signed PDF stating who tested what, when, by which methodology, and the outcome at severity level. The document you hand to auditors, enterprise reviewers, and investors.

Developer JSON + SARIF

Machine-readable findings for SonarQube, GitHub Advanced Security, or your CI pipeline, so remediation becomes tickets instead of screenshots of a PDF.

Not budgeting for a pentest yet? The free Ghost Scan checks your site across 9 surface categories in about a minute, no card, no signup. It is the honest starting point before any report matters.

ANATOMY

Anatomy of the report

The report is organized so the first two pages work for a CFO and the rest works for the engineer who has to fix things. The executive summary is deliberately non-technical: if a reader with no security background cannot finish it and know what the company should do next, we consider it badly written. Jargon lives in the finding pages, not on page two.

01

Scope and rules of engagement

What was tested, the exact dates, what was excluded, and the constraints we tested under. If something is not in this section, the attestation does not cover it.

02

Executive summary

One page, plain English. The overall risk posture, severity counts, and the two or three decisions your company should make this week. Written for a reader with no security background.

03

Severity breakdown

Findings grouped by severity, with the rating method stated on the page rather than implied. Each finding also maps to its OWASP category.

04

Findings, one page each

Evidence, reproduction steps, and remediation guidance per finding. The field-by-field breakdown is below.

05

Provenance appendix

Which findings were detected by scanner modules and which were found manually by the engineer. Most vendors do not print this.

06

Re-test addendum

Appended after you fix. Every finding receives a final status, and the attestation letter is updated to match.

SEVERITY

How findings are rated

Every finding is scored on likelihood and impact, aligned with the OWASP Risk Rating Methodology, and the rationale is printed next to the rating. Severity inflation is the quiet scam of this industry: a missing header rated HIGH makes a report look thorough on page one and untrustworthy by page twelve. Our counts stay honest, so a CRITICAL from us means exactly that.

CRITICAL

A direct path to data exposure or account takeover that is exploitable now. You hear about it within an hour of confirmation, mid-engagement, never held back for the report.

HIGH

An exploitable weakness with serious impact. Prioritize it this sprint; the re-test expects it fixed.

MEDIUM

A real weakness that needs preconditions, chaining, or an authenticated position. Schedule it deliberately.

LOW

Hardening gaps and defense-in-depth misses. Batch them into normal maintenance.

INFO

Observations worth knowing, not risks. Never inflated into findings to pad the count.

FINDING PAGE

One finding, field by field

Each finding is a self-contained page a developer can act on without asking us anything. If a vendor's finding page has a title, a score, and a paragraph copied from a scanner knowledge base, that is a triage ticket, not a finding.

FINDING ID + TITLE

A stable identifier. The re-test addendum references it, so the fix trail is auditable.

SEVERITY + RATIONALE

The rating and the printed reasoning behind it, not a bare number.

AFFECTED ASSET

The exact endpoint, parameter, or component. No 'the application may be vulnerable' hedging.

EVIDENCE

Sanitized request and response excerpts or screenshots proving the issue is real, not inferred from a version banner.

REPRODUCTION STEPS

Numbered steps your engineer can replay in staging without emailing us first.

REMEDIATION

A specific fix written for your stack, not a paragraph pasted from a scanner knowledge base.

REFERENCES

The OWASP category the finding maps to, for your compliance crosswalk.

PROVENANCE TAG

Where the finding came from: a named scanner module, or manual testing by the engineer.

PROVENANCE

Where each finding came from

Every finding is tagged with its origin, and the appendix totals the split. Most vendors do not show this, because it would reveal how much of the deliverable was a tool run. We show it because it is the most honest number in the report: you can see exactly what the engineer's time produced.

Scanner-detected, engineer-verified

Detected by one of PhantomDragon's 75+ scanner modules (50 modules across a 17-phase pipeline), then reproduced by a human before it enters the report. Nothing ships on scanner output alone. The tag names the module that fired, the same engine we ran against our own app and published the results of.

Engineer-found, manual

Business-logic abuse, authorization chains, price tampering, multi-step attack paths. The classes of bug pattern-matching cannot see, found by the engineer assigned to your engagement. These are usually the findings that matter most.

RE-TEST

How the free re-test appears in the report

After you fix, we re-test at no extra charge and append an addendum: every finding receives a final status, and the attestation letter is reissued to match. The document that ends up circulating is the post-fix one, not the scary one.

This matters for compliance. For PCI DSS, our engagement covers only the external application-layer slice of requirement 11.4 (11.4.3 plus the 11.4.4 re-test loop), not internal or segmentation testing, and the addendum is what closes that 11.4.4 loop with dated evidence. Auditors get a before, an after, and a signature.

FIXED STILL OPEN RISK ACCEPTED

The three statuses a finding can carry in the addendum. RISK ACCEPTED is yours to declare, and the report records that it was your call, in writing.

ATTESTATION

The signed attestation letter

The attestation letter is a short signed document stating who tested what, when, how, and what the outcome was, without exposing a single technical detail. It is included in the fixed price, not an add-on.

Who performed the test: Ghost Protocol (Pvt) Ltd, with the engagement dates
The scope statement: the exact applications and APIs covered
The methodology: OWASP-aligned testing plus NIST SP 800-115
Results at severity-count level, no exploit detail
Re-test status after your fixes
Signature and date

Who it satisfies: SOC 2 auditors first. SOC 2 does not explicitly require a penetration test, but auditors expect one as monitoring evidence, commonly mapped to CC4.1, and the letter plus the report is that evidence. The full mapping is on our SOC 2 penetration testing page. Beyond audits, it is the attachment that answers enterprise vendor-security questionnaires and the one-pager investors ask for in due diligence.

BUYER EDUCATION

What a bad report looks like

The most common bad pentest report is a raw scanner export with a logo on the cover, and it is easy to spot once you know the tells.

Hundreds of findings, most of them informational. That is raw scanner output where noise inflates the count.
No reproduction steps anywhere. Nothing was proven, only detected.
Remediation text that reads identically across findings. It was copied from the scanner vendor's knowledge base.
No named methodology. 'Industry best practices' instead of OWASP or NIST SP 800-115.
Severity ratings with no rationale, so a missing header and an authentication bypass sit two lines apart as HIGH.
No provenance. You cannot tell whether a human ever read the output before it became your deliverable.

This matters because of what reports cost. 2026 published cost guides from DeepStrike, Blaze Infosec, Intruder, and Astra put typical web-app pentests at roughly $5,000 to $35,000+, and Fractional CISO's ranking prices quality engagements at $15,000 to $30,000. Paying five figures for a scanner dump is the worst outcome in this market. The full breakdown of who charges what, and why, is in our penetration testing cost guide.

CHECKLIST

How to evaluate any vendor's sample report

Ask every vendor on your shortlist for a sample report before signing, then run it through these ten checks. Including ours.

They will show you a sample report before you sign. Under NDA is normal; refusal is a red flag.
The executive summary is readable by a non-engineer and says what to do next.
The severity method is named (OWASP-aligned or CVSS-based), with a rationale on each finding.
Every HIGH and CRITICAL finding has reproduction steps.
Evidence is present: requests, responses, or screenshots, not assertions.
False positives are removed, and the report says who verified the findings.
You can tell tool-found from human-found.
Remediation reads like it was written for the target's stack.
Re-test terms are explicit: included or extra, and how the results appear in the final document.
The attestation letter is included in the quoted price, not sold separately.
QUESTIONS

Common questions

Can I share the report with customers or prospects?

+
Share the attestation letter; it exists for exactly that. It confirms scope, dates, methodology, and outcome with zero technical detail. The full report contains reproduction steps and evidence, so treat it as confidential: your team, your auditor, and enterprise reviewers under NDA.

What is the difference between the attestation letter and the full report?

+
The full report is the internal working document: every finding with evidence, reproduction steps, and remediation, plus the provenance appendix and the re-test addendum. The attestation letter is a signed one-to-two-page summary stating who tested what, when, by which methodology, and the severity-level outcome. Auditors usually want both; customers only need the letter.

How do I request the sample report?

+
Email [email protected] with the subject 'Pentest sample report'. We send a short mutual NDA, then an anonymized sample from a real engagement, usually within one business day. A downloadable sample built against a synthetic target is planned; until it ships, NDA is the honest route, because real reports contain real attack detail.

What formats does the real report arrive in?

+
Two PDFs (the executive report and the signed attestation letter) plus developer-format findings in JSON and SARIF for SonarQube, GitHub Advanced Security, or your CI pipeline. Everything is inside the fixed $2,499, including the updated report after the free re-test.

Read the report before you buy one. Anyone's.

Request our sample under NDA, run it through the checklist above, and do the same with every other vendor you are considering. Not ready for a pentest yet? The free Ghost Scan takes about a minute and costs nothing.

SAMPLE_UNDER_NDA // SYNTHETIC_SAMPLE_PLANNED // GLOBAL_DELIVERY