Start here
THE REPORT, PAGE BY PAGE
This is the anatomy of the report a fixed-price penetration test produces: every section, in order, with nothing airbrushed.
There is no fake download button on this page. The real sample is an anonymized report from a live engagement, and we share it under NDA on request. Below is exactly what it contains, so you can evaluate it, or any other vendor's report, before you spend anything.
What arrives in your inbox
One engagement produces two documents, the executive PDF report and a signed attestation letter, delivered 5 to 7 days after kickoff, inside the fixed $2,499 price. Alongside them: developer-format findings, a 30-minute walkthrough call, and a free re-test after you fix. Nothing on this list is an upsell. Expedited 72-hour delivery exists for teams against an audit date ($1,000; most teams do not need it).
Executive PDF report
The full working document: scope, executive summary, severity breakdown, one page per finding, provenance appendix, re-test addendum. Written so page two works for a CFO and page twelve works for a developer.
Signed attestation letter
A short signed PDF stating who tested what, when, by which methodology, and the outcome at severity level. The document you hand to auditors, enterprise reviewers, and investors.
Developer JSON + SARIF
Machine-readable findings for SonarQube, GitHub Advanced Security, or your CI pipeline, so remediation becomes tickets instead of screenshots of a PDF.
Not budgeting for a pentest yet? The free Ghost Scan checks your site across 9 surface categories in about a minute, no card, no signup. It is the honest starting point before any report matters.
Anatomy of the report
The report is organized so the first two pages work for a CFO and the rest works for the engineer who has to fix things. The executive summary is deliberately non-technical: if a reader with no security background cannot finish it and know what the company should do next, we consider it badly written. Jargon lives in the finding pages, not on page two.
Scope and rules of engagement
What was tested, the exact dates, what was excluded, and the constraints we tested under. If something is not in this section, the attestation does not cover it.
Executive summary
One page, plain English. The overall risk posture, severity counts, and the two or three decisions your company should make this week. Written for a reader with no security background.
Severity breakdown
Findings grouped by severity, with the rating method stated on the page rather than implied. Each finding also maps to its OWASP category.
Findings, one page each
Evidence, reproduction steps, and remediation guidance per finding. The field-by-field breakdown is below.
Provenance appendix
Which findings were detected by scanner modules and which were found manually by the engineer. Most vendors do not print this.
Re-test addendum
Appended after you fix. Every finding receives a final status, and the attestation letter is updated to match.
How findings are rated
Every finding is scored on likelihood and impact, aligned with the OWASP Risk Rating Methodology, and the rationale is printed next to the rating. Severity inflation is the quiet scam of this industry: a missing header rated HIGH makes a report look thorough on page one and untrustworthy by page twelve. Our counts stay honest, so a CRITICAL from us means exactly that.
A direct path to data exposure or account takeover that is exploitable now. You hear about it within an hour of confirmation, mid-engagement, never held back for the report.
An exploitable weakness with serious impact. Prioritize it this sprint; the re-test expects it fixed.
A real weakness that needs preconditions, chaining, or an authenticated position. Schedule it deliberately.
Hardening gaps and defense-in-depth misses. Batch them into normal maintenance.
Observations worth knowing, not risks. Never inflated into findings to pad the count.
One finding, field by field
Each finding is a self-contained page a developer can act on without asking us anything. If a vendor's finding page has a title, a score, and a paragraph copied from a scanner knowledge base, that is a triage ticket, not a finding.
A stable identifier. The re-test addendum references it, so the fix trail is auditable.
The rating and the printed reasoning behind it, not a bare number.
The exact endpoint, parameter, or component. No 'the application may be vulnerable' hedging.
Sanitized request and response excerpts or screenshots proving the issue is real, not inferred from a version banner.
Numbered steps your engineer can replay in staging without emailing us first.
A specific fix written for your stack, not a paragraph pasted from a scanner knowledge base.
The OWASP category the finding maps to, for your compliance crosswalk.
Where the finding came from: a named scanner module, or manual testing by the engineer.
Where each finding came from
Every finding is tagged with its origin, and the appendix totals the split. Most vendors do not show this, because it would reveal how much of the deliverable was a tool run. We show it because it is the most honest number in the report: you can see exactly what the engineer's time produced.
Scanner-detected, engineer-verified
Detected by one of PhantomDragon's 75+ scanner modules (50 modules across a 17-phase pipeline), then reproduced by a human before it enters the report. Nothing ships on scanner output alone. The tag names the module that fired, the same engine we ran against our own app and published the results of.
Engineer-found, manual
Business-logic abuse, authorization chains, price tampering, multi-step attack paths. The classes of bug pattern-matching cannot see, found by the engineer assigned to your engagement. These are usually the findings that matter most.
How the free re-test appears in the report
After you fix, we re-test at no extra charge and append an addendum: every finding receives a final status, and the attestation letter is reissued to match. The document that ends up circulating is the post-fix one, not the scary one.
This matters for compliance. For PCI DSS, our engagement covers only the external application-layer slice of requirement 11.4 (11.4.3 plus the 11.4.4 re-test loop), not internal or segmentation testing, and the addendum is what closes that 11.4.4 loop with dated evidence. Auditors get a before, an after, and a signature.
The three statuses a finding can carry in the addendum. RISK ACCEPTED is yours to declare, and the report records that it was your call, in writing.
The signed attestation letter
The attestation letter is a short signed document stating who tested what, when, how, and what the outcome was, without exposing a single technical detail. It is included in the fixed price, not an add-on.
Who it satisfies: SOC 2 auditors first. SOC 2 does not explicitly require a penetration test, but auditors expect one as monitoring evidence, commonly mapped to CC4.1, and the letter plus the report is that evidence. The full mapping is on our SOC 2 penetration testing page. Beyond audits, it is the attachment that answers enterprise vendor-security questionnaires and the one-pager investors ask for in due diligence.
What a bad report looks like
The most common bad pentest report is a raw scanner export with a logo on the cover, and it is easy to spot once you know the tells.
This matters because of what reports cost. 2026 published cost guides from DeepStrike, Blaze Infosec, Intruder, and Astra put typical web-app pentests at roughly $5,000 to $35,000+, and Fractional CISO's ranking prices quality engagements at $15,000 to $30,000. Paying five figures for a scanner dump is the worst outcome in this market. The full breakdown of who charges what, and why, is in our penetration testing cost guide.
How to evaluate any vendor's sample report
Ask every vendor on your shortlist for a sample report before signing, then run it through these ten checks. Including ours.
Common questions
Can I share the report with customers or prospects?
+
What is the difference between the attestation letter and the full report?
+
How do I request the sample report?
+
What formats does the real report arrive in?
+
Read the report before you buy one. Anyone's.
Request our sample under NDA, run it through the checklist above, and do the same with every other vendor you are considering. Not ready for a pentest yet? The free Ghost Scan takes about a minute and costs nothing.
SAMPLE_UNDER_NDA // SYNTHETIC_SAMPLE_PLANNED // GLOBAL_DELIVERY