PentStark
Resources · Sample

Preview the engagement report structure.

An illustrative, redacted view of how findings, remediation context, control mapping, and retest evidence are organized.

Report structure

The preview uses a consistent information hierarchy so engineers can find remediation detail, auditors can locate control mapping, and leaders can scan the decisions that matter.

§1
Executive summary

One-page narrative for leadership and compliance owners. Counts by severity, MTTR trend, top three themes, and the concrete fix plan. Not marketing prose — numbers and decisions.

§2
Finding catalog

Every finding has the same shape: title, severity with CVSSv4 + business impact, scope, reproduction steps, PoC, fix guidance per layer (code, config, detection), CWE + CAPEC + ATT&CK, and retest status.

§3
Framework mapping

A control-by-control mapping to the framework(s) in scope (SOC 2 TSC, ISO 27001 Annex A, PCI-DSS, HIPAA Security Rule, OWASP ASVS). Your auditor gets the matrix. You get the narrative.

§4
Kill-chain narrative

Where applicable — red team and assume-breach engagements — a timelined narrative of the most interesting attack paths discovered, including pivot points and detection opportunities.

§5
Retest delta

After remediation: each finding re-verified. 'Fixed', 'partial', 'not fixed', 'not reproducible anymore'. This is the document your SOC / compliance team actually keeps.

sample-report.txt · redacted
═══════════════════════════════════════════════
PentStark · Engagement Report
Illustrative / redacted preview
Customer: Example organization
Window: Example engagement window
Scope: 2 apps · 3 APIs · 1 AWS account
═══════════════════════════════════════════════
 
§ Executive summary
• 4 criticals · 6 highs · 12 mediums · 18 lows
• Mean time to remediate: 4.2 days
• Regression rate on retest: 0%
• SOC 2 TSC evidence package: attached
 
§ Findings index
PS-1142 CRIT BOLA in /v2/orgs/:id/invoices
PS-1141 CRIT AD CS ESC1 — 'User' template
PS-1138 HIGH SSRF → IMDSv1 → prod-s3-read
PS-1129 HIGH OAuth redirect_uri allowlist bypass
...
 
§ Methodology
PTES · OWASP WSTG · OWASP ASVS L3 · MITRE ATT&CK
 
§ Appendices
A. Finding catalog (per-bug PoCs + fix guidance)
B. SOC 2 control-mapping matrix
C. MITRE ATT&CK coverage heat-map
D. Retest delta (pre-fix vs. post-fix)
Illustrative previewPTaaS formatControl mapping example

Want the full PDF?

Request an expanded redacted sample by email. Include your industry or assurance framework so the team can send the most relevant available example.

Email me the PDF
Talk to an operator

Your next finding is one scoping call away.

Thirty minutes with a real operator tells us what you need and what we can deliver. No BDR handoff, no sales engineer theater — the person you talk to is the person who scopes the work.

Talk to an expertBook a demo
Responses in < 1 business day