Report Guide
How to Read a Penetration Test Report
Turn technical findings into actionable remediation priorities.
A penetration test report contains an executive summary for leadership and detailed technical findings scored using the Common Vulnerability Scoring System (CVSS). Findings are rated Critical, High, Medium, Low or Informational. Organizations should prioritize remediation of Critical and High findings first then address Medium issues in scheduled maintenance cycles.
Receiving a penetration test report can be overwhelming. Dozens of findings, unfamiliar scoring systems and dense technical language make it difficult to know where to start. This guide explains how to interpret the report structure, understand severity ratings and prioritize your remediation efforts for maximum security impact.
Report Structure
Anatomy of a Penetration Test Report
Executive Summary
The executive summary is written for non-technical leadership. It provides a high-level overview of the engagement scope, testing methodology, overall risk posture and key findings. This section translates technical vulnerabilities into business risk language. It typically includes a risk rating for the overall environment and highlights the most impactful findings. If you are a CTO, CISO or board member this is the section designed for you. It should answer three questions: how secure are we, what are the biggest risks and what should we fix first.
Scope and Methodology
This section documents what was tested and how. It lists the systems, networks and applications that were in scope, the testing approach used (black box, grey box or white box), the tools employed and the testing standards followed. At Sherlock Forensics we reference the Penetration Testing Execution Standard (PTES) and OWASP Testing Guide. This section provides context for the findings and helps you understand the boundaries of what was assessed.
Detailed Technical Findings
Each finding includes a title, severity rating, CVSS score, affected systems, a detailed description of the vulnerability, proof-of-concept evidence demonstrating exploitability, the potential business impact and step-by-step remediation guidance. Proof-of-concept evidence may include screenshots, command output, intercepted traffic or extracted data. This evidence proves the vulnerability is real and exploitable rather than theoretical. Technical teams should use these details to understand and reproduce the finding during remediation.
Remediation Guidance
Every finding includes specific remediation steps. These are not generic recommendations but targeted fixes for the exact vulnerability discovered in your environment. Remediation guidance addresses both the immediate fix and any underlying architectural issues that enabled the vulnerability. Some findings may include multiple remediation options ranging from quick mitigations to long-term architectural improvements. Your team should work through these recommendations in order of severity.
Scoring
Understanding CVSS Severity Ratings
The Common Vulnerability Scoring System (CVSS) is an industry-standard framework for rating the severity of security vulnerabilities on a scale from 0.0 to 10.0. The score considers factors including attack complexity, privileges required, user interaction needed and the impact on confidentiality, integrity and availability.
| Rating | CVSS Score | Action Required |
|---|---|---|
| Critical | 9.0 - 10.0 | Immediate remediation. Stop other work if necessary. |
| High | 7.0 - 8.9 | Remediate within days. These are actively dangerous. |
| Medium | 4.0 - 6.9 | Schedule remediation in the next maintenance cycle. |
| Low | 0.1 - 3.9 | Address when convenient. Low risk but still worth fixing. |
| Informational | N/A | Best practice recommendations. No immediate risk. |
Remediation Strategy
What to Action First
Start with Critical and High Findings
Critical and High severity findings represent the most dangerous vulnerabilities in your environment. These are the issues that attackers will exploit first and they typically provide the most direct path to sensitive data or system compromise. Address these before anything else. If your team lacks the resources to fix everything at once focus exclusively on Critical and High findings and schedule the rest for subsequent sprints.
Consider Business Context
CVSS scores measure technical severity but they do not account for your specific business context. A Medium-severity finding on a system that processes payment card data may be more urgent than a High finding on an isolated development server. Work with your security team to overlay business criticality onto the CVSS ratings. Systems that handle sensitive data, face the public internet or support critical business functions should receive higher remediation priority.
Request a Retest
After completing remediation request a retest from your penetration testing provider. A retest validates that fixes are implemented correctly and that no new vulnerabilities were introduced during remediation. The retest produces a supplemental report that documents which findings have been resolved and which remain open. This report is valuable evidence for compliance audits, board reporting and insurance renewals. Sherlock Forensics includes a retest window in every engagement.
Get Started
Need a penetration test with clear reporting?
Our reports are written for both technical teams and executive stakeholders.
Order OnlineQuestions About Your Report?
We provide a debrief session with every engagement to walk your team through the findings and discuss remediation strategies.
Call 604.229.1994- Phone
- 604.229.1994
- Burnaby Office
- Burnaby, BC, Canada
- Coquitlam Office
- Coquitlam, BC, Canada