Why Reports Matter
The pentester discovers a critical RCE vulnerability and achieves Domain Admin access.
"Found some issues. Recommend fixing them."
The client is confused. Nothing gets patched. Three months later, the same vulnerability is exploited by a real attacker.
"Critical: Unauthenticated RCE via deserialization in /api/upload (CVSS 9.8). Remediation: Update to v2.1.4, implement input validation."
The client understands exactly what to fix. All vulnerabilities patched. The pentester gets repeat business.
Report Structure
Click each section to learn its purpose. Then click "See Example" to see a real filled-in version.
Cover Page
The first impression. Contains: client name, assessment type, date range, classification level (Confidential), report version, and pentester contact info.
Executive Summary
Written for the CEO, not the sysadmin. No technical jargon. Summarizes overall risk, top business impacts, and recommended priorities in 150-300 words.
Scope & Methodology
Defines the boundaries: what IPs/domains were in scope, what was excluded, testing methodology (OWASP, PTES), tools used, and any limitations encountered.
Technical Findings
The heart of the report. Each vulnerability gets its own section with: title, severity (CVSS), description, proof of concept, business impact, and remediation steps.
Appendices
Supporting material: raw tool output, full credentials found, additional screenshots, and vulnerability scan results that support the findings.
Writing a Finding β Interactive
Scenario
You exploited a machine via an anonymous FTP login that contained backup credentials, which you used to authenticate to an internal MSSQL instance with xp_cmdshell enabled, giving you SYSTEM.
Now build the finding step by step.
1. Finding Title
Choose the best title for this finding:
2. Severity Rating (CVSS 3.1)
Adjust the CVSS sliders to rate this vulnerability:
3. Description
Fill in the blanks:
An vulnerability was identified on which allows an unauthenticated attacker to , resulting in .
4. Proof of Concept β Evidence Order
Drag the evidence screenshots into the correct chronological order:
5. Business Impact
Which statement is written for a business audience?
6. Remediation
Improve this vague remediation: "Fix the FTP server."
Executive Summary
Findings Summary
Write an executive summary for these findings. Target audience: the CEO.
Requirements Checklist
Report Assembly
Drag the report sections into the correct order to compile your report:
Report Tools
Create a New Project
In SysReptor, click New Project. Select the "Pentest Report" template. Fill in client name, date range, and assessor details.
Add Findings
Click Add Finding. Use the finding template: fill in title, severity, description, PoC, impact, and remediation. SysReptor auto-formats CVSS scores.
Write Executive Summary
Navigate to the Executive Summary section. Use the rich text editor to write your summary. SysReptor includes a findings count widget automatically.
Export PDF
Click Export > PDF. Choose your template style. The report compiles with professional formatting, table of contents, and consistent branding.
Report Writing Course Complete!
You've learned the structure, practiced writing findings, composed an executive summary, assembled a report, and explored professional tools.