Home / Solutions / Sample Pentest Report
Sample Pentest Report

See What a CredShields Pentest Report Looks Like

See exactly what your team will receive.

A sanitized version of an actual CredShields pentest report. Real findings, real reproduction steps, real remediation guidance. So your team and your auditor know what to expect before you sign.

What's Inside
28-page sanitized pentest report (PDF)
Executive summary + technical findings
OWASP ASVS coverage matrix
Sample reproducible PoC
Remediation guidance examples
01 // WHAT YOU GET

A real report from a real engagement.

Most vendors send a glossy PDF that looks like a sales deck. Our sample is the actual deliverable from a real client engagement (sanitized for confidentiality). Same structure, same depth, same evidence quality your team and your auditor will receive.

  • Executive summary written for non-technical readers
  • Detailed findings with severity, CVSS 3.1, reproduction
  • OWASP ASVS L2/L3 coverage matrix per finding
  • Remediation guidance with code examples
CredShields-pentest-report-2026-Q3.pdf 
EXECUTIVE SUMMARY
  · 4 critical, 7 high, 12 medium, 18 low
  · 87% of OWASP ASVS L2 verified
  · 6 business logic flaws identified
  · All findings reproduced w/ working PoC

FINDINGS BY CATEGORY
  Authentication           3 high, 2 medium
  Multi-tenant isolation   1 critical, 2 high
  Injection                0 (clean)
  Business logic           2 critical, 1 high
  Cryptography             2 medium, 3 low
  Session management       1 medium

REMEDIATION TIMELINE
  Critical    fix < 7 days
  High        fix < 30 days
  Medium      fix < 90 days

→ Continued for 28 pages with full PoCs

Report Sections

Every section, explained.

Executive Summary

One-page overview for stakeholders. Risk rating, critical findings, remediation roadmap. Written for board members and C-suite, not security engineers.

Methodology Document

How we tested. NIST SP 800-115, OWASP ASVS, PTES alignment. Tools used. Scope boundaries. Auditors reference this directly.

Findings Catalog

Every finding with severity, CVSS 3.1 score, OWASP category, MITRE ATT&CK technique, reproduction steps, impact assessment, remediation guidance, and CWE reference.

Sample Reproducible PoC

A walkthrough of one full PoC: cURL commands, request/response headers, expected vs observed behavior. Your engineers can replay it independently.

Coverage Matrix

OWASP ASVS L2/L3 verification map showing pass / fail / not applicable for every requirement tested. Drops directly into your audit binder.

Remediation Roadmap

Severity-prioritized fix order with effort estimates and risk-of-deferral notes. Includes architectural recommendations beyond per-finding fixes.

Want the actual PDF?
Drop your email below to receive the sanitized 28-page sample report. No sales call required.

Frequently Asked

Common questions, answered.

Why isn't the sample report just a download link?
It is. We deliver it via email with a single tracking pixel so we can follow up if you want a working session. No gating beyond that, no sales sequences, and you can unsubscribe with one click.
Is this an actual client report or a marketing artifact?
Actual client report, sanitized for confidentiality. The client granted permission to use it as a sample. Identifiers are scrubbed but the structure, depth, and finding quality are exactly what you'd receive.
How is this different from your competitors' sample reports?
Most competitor samples are sales-shaped: glossy formatting, generic findings, light on technical detail. Our sample is engineering-shaped: dense, technical, audit-ready, with reproducible PoCs. The difference is visible in five seconds.
Can I share this internally with my team?
Yes. The sanitized sample report is freely shareable internally. We just ask that you don't publish it externally without our permission since it represents a real engagement.
Does the sample show pricing?
No. Pricing is engagement-specific based on scope. We provide a written quote within 48 hours of a scoping call. The sample is purely about deliverable quality.
Can I see samples for other engagement types (mobile, API, cloud)?
Yes, on request. We have sanitized samples for web pentest, API pentest, mobile pentest, cloud security review, and red team engagement. Tell us which is closest to your scope.

Related

Continue exploring

Most popular
Continuous AppSec

See sample evidence binders for continuous engagements.

Read more →
Service detail
Web App Pentesting

See exactly what we test and how.

Read more →
Audit prep
Compliance Readiness

How sample reports map to SOC 2 / ISO / PCI controls.

Read more →
Reference
AppSec Maturity Model

Where pentests fit in your program's maturity arc.

Read more →
Ready to ship secure?
Talk to a senior engineer. No SDR script, no slide deck. Just a working session about your stack.
Ready When You Are

The pentest your auditor will accept.
The findings your engineers will fix.

Continuous AppSec for SaaS, fintech, and regulated industries. Talk to a senior engineer — no SDR script, no slide deck, just a working session about your stack.

Fixed-Fee Pricing
No engineer-hour billing
Audit-Ready by Default
SOC 2, ISO, PCI, HIPAA
Engineer-Validated
Not scanner output