Home / Solutions / Sample Pentest Report
Sample Pentest Report

See What a CredShields Pentest Report Looks Like

See exactly what your team will receive.

A sanitized version of an actual CredShields pentest report. Real findings, real reproduction steps, real remediation guidance. So your team and your auditor know what to expect before you sign.

What's Inside
Sanitized Web App & API audit report (PDF)
Executive summary with severity breakdown
OWASP WSTG & Top 10 methodology alignment
CWE classification per finding
Retest verification with remediation status
01 // WHAT YOU GET

A real report from a real engagement.

Most vendors send a glossy PDF that looks like a sales deck. Our sample is the actual deliverable from a real client engagement (sanitized for confidentiality). Same structure, same depth, same evidence quality your team and your auditor will receive.

  • Executive summary with severity breakdown and remediation overview
  • Findings catalogued by severity using OWASP Risk Rating Methodology (Likelihood × Impact)
  • Per-finding CWE classification, affected endpoint, and inline HTTP / cURL reproduction
  • Methodology aligned to OWASP WSTG, OWASP Top 10, and an internal real-world attack checklist
  • Retest verification with explicit status tags ([Fixed] / [Open] / [Acknowledged])
CredShields-pentest-report-2026-Q3.pdf 
EXECUTIVE SUMMARY
  Engagement window      Jan 14 to Jan 22, 2026
  Retest window          Feb 19, 2026
  Total findings         13
  Severity breakdown     3 critical, 3 high, 1 medium, 6 low
  Methodology            OWASP WSTG, OWASP Top 10,
                         + internal real-world checklist

SEVERITY MODEL (OWASP Risk Rating)
  Risk = Likelihood × Impact
        Low                Medium           High
  High  Medium             High             Critical
  Med   Low                Medium           High
  Low   None               Low              Medium

SAMPLE FINDINGS
  C001 [Fixed] IDOR in trade creation
       CWE-639 (Insecure Direct Object Reference)
  C002 [Fixed] Unlimited minting via client-side
       count param manipulation
       CWE-840 (Business Logic Errors)
  H002 [Fixed] OAuth sign-up bypass
       CWE-287 (Improper Authentication)
  M001 [Fixed] Open redirect in sign-in flow
       CWE-601

// Each finding: description, affected endpoint,
// HTTP request samples, impact, remediation,
// and retest verification status.

Report Sections

Every section, explained.

Executive Summary

Severity breakdown table, engagement and retest windows, methodology references, and an "Assets in Scope" matrix. Written for stakeholders, not security engineers. Drops directly into board updates.

Methodology Document

How we tested. OWASP Web Security Testing Guide (WSTG), OWASP Top 10, and an internal real-world attack checklist. Scope and assumptions stated explicitly. Auditors reference this section directly.

Findings Catalog

Every finding with severity (OWASP Risk Rating: Likelihood × Impact), CWE classification, affected endpoint, inline HTTP/cURL reproduction, business impact assessment, and remediation guidance.

Sample Reproducible PoC

Every finding includes full cURL commands, raw HTTP requests with headers and body, and expected vs observed behavior. Your engineers can reproduce and re-verify each finding independently.

Retest Verification

After remediation, each finding is re-tested and tagged with status: [Fixed], [Open], or [Acknowledged]. The retest section confirms what was fixed, when, and how, providing audit-ready evidence of closure.

Remediation Roadmap

Per-finding remediation guidance with specific code-level and configuration recommendations. Severity-prioritized order, paired with architectural recommendations where individual fixes cascade across multiple findings.

Methodology & Affiliations

Anchored in recognized standards.

Engagements are conducted by CredShields Technologies PTE. LTD. (Singapore). Methodology is anchored in the OWASP Web Security Testing Guide (WSTG), OWASP Top 10, and an internal real-world attack checklist refined across hundreds of engagements. Severity follows OWASP Risk Rating Methodology. Findings include explicit CWE classification. The firm is AICPA SOC-aligned and is part of the OWASP Smart Contract Security Advocates community.
Want the actual PDF?
Drop your email below to receive the sanitized 28-page sample report. No sales call required.

Frequently Asked

Common questions, answered.

Why is the sample report behind an email form?
The sample is a sanitized version of an actual client engagement and we ask for an email so we can follow up if you want a working session. No SDR sequences, one-click unsubscribe, and the same address is used to send you the PDF.
Is this an actual client report or a marketing artifact?
Actual client report, sanitized for confidentiality. The client granted permission to use it as a sample. Identifiers are scrubbed but the structure, depth, and finding quality are exactly what you'd receive.
How is this different from competitors' sample reports?
Most competitor samples are sales-shaped: glossy formatting, generic findings, light on technical detail. The CredShields sample is engineering-shaped: dense, technical, with CWE classification, raw HTTP request samples, and retest verification on every finding. The difference is visible in five seconds.
Can I share this internally with my team?
Yes. The sanitized sample report is freely shareable internally. We just ask that you don't publish it externally without our permission since it represents a real engagement.
Does the sample show pricing?
No. Pricing is engagement-specific based on scope. We provide a written quote within 48 hours of a scoping call. The sample is purely about deliverable quality.
Why do reports use OWASP Risk Rating instead of CVSS?
CVSS is excellent for known CVEs in published software. Web application findings often involve business logic, multi-tenant isolation, and authorization flaws where CVSS's vector-string model fits awkwardly. OWASP Risk Rating (Likelihood × Impact) captures both technical and business context per finding, which is what your auditor and your engineering team both need. For clients who require CVSS scoring for internal vulnerability management workflows, we provide it on request alongside the OWASP rating.
What about ASVS coverage mapping?
OWASP ASVS is a verification standard; it's complementary to the WSTG-driven testing methodology we use. For SOC 2, ISO 27001, or audit engagements where ASVS L2/L3 coverage mapping is explicitly required, we deliver it as an addendum to the standard report. Most apps-side engagements don't request it. The default report aligns to WSTG and OWASP Top 10, which auditors generally accept directly.
Can I see samples for other engagement types (mobile, API, cloud)?
The default sample is a Web Application and API audit, which is our most common engagement. We have sanitized samples available for mobile pentest, cloud security review, and other engagement types on request. Tell us which is closest to your scope and we'll send the matching sample.

Related

Continue exploring

Most popular
Continuous AppSec

See sample evidence binders for continuous engagements.

Read more →
Service detail
Web App Pentesting

See exactly what we test and how.

Read more →
Audit prep
Compliance Readiness

How sample reports map to SOC 2 / ISO / PCI controls.

Read more →
Reference
AppSec Maturity Model

Where pentests fit in your program's maturity arc.

Read more →
Ready to ship secure?
Talk to a senior engineer. No SDR script, no slide deck. Just a working session about your stack.
Ready When You Are

The pentest your auditor will accept.
The findings your engineers will fix.

Continuous AppSec for SaaS, fintech, and regulated industries. Talk to a senior engineer — no SDR script, no slide deck, just a working session about your stack.

Fixed-Fee Pricing
No engineer-hour billing
Audit-Ready by Default
SOC 2, ISO, PCI, HIPAA
Engineer-Validated
Not scanner output