Practice penetration test report vocabulary: executive summary language, finding severity levels, CVSS score explanation, proof of concept sections, and remediation recommendation language.
0 / 5 completed
1 / 5
A pentest report opens with an 'Executive Summary.' What is the purpose of this section?
The executive summary is written for the CISO, CFO, or board — not the engineering team. It should answer: what did the testers find? How serious is it? What is the business risk? What should we do first? Technical details belong in the findings section. A good executive summary uses phrases like 'an attacker could gain unauthorised access to customer data' rather than 'SQL injection in the /api/users endpoint allows UNION-based data extraction.'
2 / 5
A pentest report categorises findings as Critical, High, Medium, Low, and Informational. What typically distinguishes a 'Critical' finding from a 'High' finding?
Severity classification reflects both likelihood (exploitability) and impact. Critical: immediately exploitable, high impact, no authentication required, network-accessible — e.g., unauthenticated RCE, SQL injection that dumps the entire user table. High: serious impact but with prerequisites — e.g., requires valid credentials, or is only exploitable from inside the network. The distinction drives remediation priority and urgency.
3 / 5
What does the 'Proof of Concept' (PoC) section of a pentest finding contain?
The PoC section proves the vulnerability is real and exploitable — not theoretical. It typically includes: the HTTP request with the malicious payload, the server response showing the data leak or error, a screenshot of the attacker's view, and numbered reproduction steps. The PoC allows the client's security team to validate the finding independently and helps developers understand the exact attack vector when fixing it.
4 / 5
A pentest report includes a 'Remediation Recommendation' for each finding. What language is typically used in this section?
Remediation recommendations should be specific and actionable, not vague. 'Improve input validation' is poor. 'Replace string concatenation in the user search query with parameterised queries using PDO or prepared statements' is good. Good remediation language: names the exact fix, references the relevant standard or framework (OWASP, NIST), suggests verification steps, and sometimes includes a code example. The goal is for the developer to implement it without needing to consult the pentester.
5 / 5
What does 'Informational' severity mean in a pentest report?
Informational findings are the pentest equivalent of 'you should know about this, but it is not currently a vulnerability.' Examples: HTTP response headers revealing server version (information disclosure), a self-signed TLS certificate (no active vulnerability but best practice violation), or commented-out debug code. They improve security posture when addressed but do not require emergency remediation. Including them shows thoroughness.