PentStark
Resources · Sample

What an engagement report actually looks like.

A redacted PTaaS report from a recent fintech engagement. Every section below is the real template we ship — customer names and payloads redacted.

Request the full PDFScope an engagement

Report structure

Every report follows the same structure. The shape is a contract — engineers know where to find fix guidance, auditors know where to find control mapping, and leaders know where to find the number that matters.

§1
Executive summary

One-page narrative for leadership and compliance owners. Counts by severity, MTTR trend, top three themes, and the concrete fix plan. Not marketing prose — numbers and decisions.

§2
Finding catalog

Every finding has the same shape: title, severity with CVSSv4 + business impact, scope, reproduction steps, PoC, fix guidance per layer (code, config, detection), CWE + CAPEC + ATT&CK, and retest status.

§3
Framework mapping

A control-by-control mapping to the framework(s) in scope (SOC 2 TSC, ISO 27001 Annex A, PCI-DSS, HIPAA Security Rule, OWASP ASVS). Your auditor gets the matrix. You get the narrative.

§4
Kill-chain narrative

Where applicable — red team and assume-breach engagements — a timelined narrative of the most interesting attack paths discovered, including pivot points and detection opportunities.

§5
Retest delta

After remediation: each finding re-verified. 'Fixed', 'partial', 'not fixed', 'not reproducible anymore'. This is the document your SOC / compliance team actually keeps.

sample-report.txt · redacted
═══════════════════════════════════════════════
 PentStark · Engagement Report
 Customer: Acme (redacted)
 Window:   2026-01-03 → 2026-02-28
 Scope:    2 apps · 3 APIs · 1 AWS account
═══════════════════════════════════════════════
 
§ Executive summary
  • 4 criticals · 6 highs · 12 mediums · 18 lows
  • Mean time to remediate: 4.2 days
  • Regression rate on retest: 0%
  • SOC 2 TSC evidence package: attached
 
§ Findings index
  PS-1142  CRIT  BOLA in /v2/orgs/:id/invoices
  PS-1141  CRIT  AD CS ESC1 — 'User' template
  PS-1138  HIGH  SSRF → IMDSv1 → prod-s3-read
  PS-1129  HIGH  OAuth redirect_uri allowlist bypass
  ...
 
§ Methodology
  PTES · OWASP WSTG · OWASP ASVS L3 · MITRE ATT&CK
 
§ Appendices
  A. Finding catalog (per-bug PoCs + fix guidance)
  B. SOC 2 control-mapping matrix
  C. MITRE ATT&CK coverage heat-map
  D. Retest delta (pre-fix vs. post-fix)
PTaaS · 8-week windowFintech · SEASOC 2 TSC aligned

Want the full PDF?

The full redacted sample is 48 pages. We send it over email (PGP-encrypted on request) within one business day. Include your industry in the subject and we'll tune the example to match.

Email me the PDF
Talk to an operator

Your next finding is one scoping call away.

Thirty minutes with a real operator tells us what you need and what we can deliver. No BDR handoff, no sales engineer theater — the person you talk to is the person who scopes the work.

hello@pentstark.com
Talk to an expertBook a demo
Responses in < 1 business day