Preview the engagement report structure.
An illustrative, redacted view of how findings, remediation context, control mapping, and retest evidence are organized.
Report structure
The preview uses a consistent information hierarchy so engineers can find remediation detail, auditors can locate control mapping, and leaders can scan the decisions that matter.
One-page narrative for leadership and compliance owners. Counts by severity, MTTR trend, top three themes, and the concrete fix plan. Not marketing prose — numbers and decisions.
Every finding has the same shape: title, severity with CVSSv4 + business impact, scope, reproduction steps, PoC, fix guidance per layer (code, config, detection), CWE + CAPEC + ATT&CK, and retest status.
A control-by-control mapping to the framework(s) in scope (SOC 2 TSC, ISO 27001 Annex A, PCI-DSS, HIPAA Security Rule, OWASP ASVS). Your auditor gets the matrix. You get the narrative.
Where applicable — red team and assume-breach engagements — a timelined narrative of the most interesting attack paths discovered, including pivot points and detection opportunities.
After remediation: each finding re-verified. 'Fixed', 'partial', 'not fixed', 'not reproducible anymore'. This is the document your SOC / compliance team actually keeps.
═══════════════════════════════════════════════PentStark · Engagement ReportIllustrative / redacted previewCustomer: Example organizationWindow: Example engagement windowScope: 2 apps · 3 APIs · 1 AWS account═══════════════════════════════════════════════§ Executive summary• 4 criticals · 6 highs · 12 mediums · 18 lows• Mean time to remediate: 4.2 days• Regression rate on retest: 0%• SOC 2 TSC evidence package: attached§ Findings indexPS-1142 CRIT BOLA in /v2/orgs/:id/invoicesPS-1141 CRIT AD CS ESC1 — 'User' templatePS-1138 HIGH SSRF → IMDSv1 → prod-s3-readPS-1129 HIGH OAuth redirect_uri allowlist bypass...§ MethodologyPTES · OWASP WSTG · OWASP ASVS L3 · MITRE ATT&CK§ AppendicesA. Finding catalog (per-bug PoCs + fix guidance)B. SOC 2 control-mapping matrixC. MITRE ATT&CK coverage heat-mapD. Retest delta (pre-fix vs. post-fix)
Want the full PDF?
Request an expanded redacted sample by email. Include your industry or assurance framework so the team can send the most relevant available example.
Email me the PDFYour next finding is one scoping call away.
Thirty minutes with a real operator tells us what you need and what we can deliver. No BDR handoff, no sales engineer theater — the person you talk to is the person who scopes the work.
