TL;DR: A pen report contains five parts: a management summary, scope and methodology, a summary of findings with CVSS scores, technical details with evidence (proof-of-concept), and concrete remediation recommendations. The CVSS score determines severity (0 to 10), but priority depends on your specific business context. Focus first on vulnerabilities with the highest real-world impact and schedule a retest to prove the solutions work.
Why your pentest report deserves more attention
You have invested in a penetration test. After several weeks, you receive a PDF of dozens of pages, full of technical terms, score tables and screenshots. You are tempted to forward the document to your IT team and get on with business as usual.
That is exactly what you should not do. A pen test report is not an endpoint, but the starting point of a focused improvement program. This article will teach you how to read the report, prioritize the findings and use the document as a strategic tool for your organization. From CVSS scores to retest planning, after this article you will know what each item means and what to do with it.
The five components of a professional pentest report
A quality pen test report follows an established structure designed to serve both technical and non-technical readers. That structure is based on international standards such as PTES (Penetration Testing Execution Standard) and the OWASP Testing Guide.
1. Management summary (executive summary) This section is written for directors and business managers. It describes in understandable language what was tested, what the key risks are, and what the recommended next steps are. A good executive summary does not talk about “SQL injection” but about “the risk of unauthorized access to your customer database.” According to Pentera research, 68% of decision makers read only the executive summary. Make sure that section gets the attention it deserves.
2. Scope and methodology This section describes exactly which systems, networks or applications were tested, which test method was used(black box, grey box or white box) and according to which framework the test was performed. This is important to understand what was and was not tested.
3. Summary of findings A visual dashboard showing the total number of vulnerabilities classified by severity (critical, high, medium, low, informational). This overview gives you an at-a-glance view of the overall security status.
4. Detailed technical findings Each risk found is described separately: what the problem is, how the pentester discovered it, what CVSS score it gets, and what the proof (proof-of-concept) is. That proof-of-concept, often abbreviated as PoC, is the incontrovertible evidence that the vulnerability has actually been exploited. Reports without PoCs tend more toward an automated scan than a true pen test.
5. Repair recommendations Each finding comes with a concrete recommendation: which patch, configuration change or architecture modification solves the problem. Strong reports also include strategic recommendations that go beyond individual vulnerabilities.
Understanding CVSS scores: what do the numbers mean?
The Common Vulnerability Scoring System (CVSS) expresses the severity of each vulnerability in a score from 0.0 to 10.0. Meanwhile, most pen testers are working with CVSS v4.0, which scores more accurately than its predecessor v3.1 by taking better account of the impact on underlying systems.
The scores translate to five severity categories:
| Severity Level | Score | What it means | Expected action |
|---|---|---|---|
| Critical | 9.0 to 10.0 | Immediate danger, often remotely exploitable without login credentials | Address within 48 hours |
| High | 7.0 to 8.9 | Severe risk of data theft or system takeover | Resolved within 1 week |
| Medium | 4.0 to 6.9 | Limited risk, often requires authentication or complex interaction | Remedy within 30 days |
| Low | 0.1 to 3.9 | Minimal direct impact, can serve as a stepping stone | Pick up within 90 days |
| Info | 0,0 | No direct risk, but best practice recommendation | At next maintenance cycle |
A common mistake is to look only at the baseline score. CVSS v4.0 distinguishes four metric groups: Base (the technical severity), Threat (is the vulnerability actively abused in the wild?), Environmental (how important is the affected system to your organization?) and Supplemental (additional context). A vulnerability with a base score of 9.3 can drop to 5.4 if your organization has compensating measures such as network segmentation or a Web Application Firewall. Conversely, a low score may increase if the vulnerability allows direct access to your Active Directory.
Always ask your pentest partner for context with the scores. A number without explanation is a missed opportunity.
The most common findings among Flemish SMEs
Based on international pentesting reports and market data from 2025 and 2026 (including Rapid7’s “Under the Hoodie” and Pentera’s “State of Pentesting”), clear patterns are emerging among midsize companies. Flemish SMEs with 50 to 250 employees often operate a hybrid infrastructure in which legacy systems are coupled with cloud solutions, creating unique risks.
The vulnerabilities that pop up most often:
Weak or reused passwords and missing multifactor authentication (MFA) consistently rank at the top. The CCB confirms that identity has become the new perimeter: attackers log in more often than they break in. In addition, outdated software without security patches, improperly configured cloud environments (especially Microsoft 365), and missing network segmentation are recurring findings. In application testing, cross-site scripting (XSS) and SQL injection still appear in the OWASP Top 10.
A separate concern is the increase in business logic flaws: vulnerabilities that are not a technical bug, but an error in business logic. Consider a web shop where a discount code can be changed from 10% to 100% via API manipulation. You will find these kinds of findings only in reports from pen testers who test manually, not in automated scans.
From report to action: how do you prioritize vulnerabilities?
Faced with dozens of findings, paralysis sets in for many IT managers. Where do you start? The CVSS score alone is insufficient as a guide. Effective prioritization combines three factors:
1. Exploitability: is the vulnerability actively abused by attackers? CISA publishes a Known Exploited Vulnerabilities (KEV) catalog that you can use as a reference. A vulnerability on that list deserves immediate attention, regardless of its CVSS score.
2. Business impact: what are the consequences if this vulnerability is exploited? A critical vulnerability on a test system is less urgent than a medium vulnerability on your ERP system with customer data.
3. Attack position: is the system reachable via the Internet or only internally? Externally reachable vulnerabilities by definition pose a higher risk.
A practical four-level prioritization framework:
| Priority | Characteristics | Recommended deadline |
|---|---|---|
| Urgent (Tier 0) | Actively abused, critical system, Internet-facing | Within 24 to 48 hours |
| High (Tier 1) | Exploit available, sensitive data, limited barriers | Within 7 days |
| Medium (Tier 2) | Theoretically abusable, internal system, no active threat | Within 30 to 60 days |
| Low (Tier 3) | Hard to abuse, no direct business impact | Within 90 days |
Not every vulnerability requires a patch. For legacy systems that can no longer be updated, apply compensatory measures: additional network segmentation, tighter access control or monitoring through a SIEM solution.
The retesting process: why follow-up is essential
The pen test does not end with the report. The most critical phase is validation via a retest (retest). Without a retest, you have no objective proof that the vulnerabilities have actually been fixed. Market data shows that about 15% of organizations resolve only 10% or less of serious findings after the initial test. This is a blind spot that executives cannot afford.
A retest proceeds in three steps. First, your IT team resolves the findings according to the prioritization framework. Then, you schedule a retest with your pentest partner, typically two to six weeks after the initial remediation. The retest focuses specifically on the previously found vulnerabilities and verifies that the fixes are effective as well as that they haven’t introduced new vulnerabilities.
The retest report is an addendum to the original report. Together they form a powerful file: the first document shows the risks found, the second proves that your organization has eliminated those risks. That combination is particularly valuable in audits and compliance reviews.
Your pentest report as NIS2 evidence
With Belgium’s NIS2 legislation (Law of April 26, 2024), cybersecurity for medium-sized companies in critical sectors is no longer optional. Essential entities must undergo regular compliance assessments, and the CCB’s CyberFundamentals framework explicitly refers to technical verification of security controls.
A quality pentest report serves as concrete evidence for multiple purposes. For NIS2 compliance, it demonstrates that your organization is taking appropriate technical measures to manage risk. For ISO 27001, it supports control A.8.8 (Management of Technical Vulnerabilities). Cyber insurers ask for additional security information in 93% of cases, and a pen test report with retest is a strong document in this regard. Finally, under NIS2, large customers are increasingly requesting a summary pentest report from their suppliers as part of supply chain audits.
Keep your pentest reports for at least three years. Together with the retest report, they form the audit trail that demonstrates that your organization is structurally working on risk management.
Where do you recognize an underwhelming report?
Not every document titled “pen report” offers the same value. Pay attention to these warning signs:
The report contains only automated scan results without manual validation. Findings lack proof-of-concept or reproducibility steps. Management summary is too technical or missing completely. No CVSS scores or risk ratings are used. Recovery recommendations are generic (“update your software”) rather than specific to your environment. The report does not describe an attack chain: how individual vulnerabilities add up to a larger compromise.
Quality difference is in human intelligence. An automated scanner finds missing security headers, but only an experienced pentester discovers that complete customer data can be accessed via API manipulation. Those who select the right pentest partner invest in reports that deliver strategic value.
Frequently asked questions about pen test results
How long will it take to receive my pentest report?
Most pen testing companies deliver the final report within five to 10 business days of test completion. For critical findings (CVSS 9.0 or higher), you usually receive an interim notification so you can act immediately.
Should I resolve all the findings of the report?
Not necessary. Focus on the findings with the highest combination of exploitability and business impact. Informational findings are best-practice advice that you can include in the next maintenance cycle. Consciously document which risks you accept and why.
Can I share my pentest report with clients or partners?
Never share the full technical report. That contains a detailed map of your vulnerabilities. Instead, share the management summary or ask your pen test partner for a “Letter of Attestation”: a statement that the test was performed and critical findings were fixed.
How often should I have a pen test performed?
An annual pen test on your core systems is the accepted best practice. In addition, an additional test is appropriate after major infrastructure changes, a migration to the cloud or the launch of a new application. Under NIS2, auditors expect periodic technical testing as part of your risk management measures. Learn more about the ideal pen test frequency.
What is the difference between a pentest report and a vulnerability scan report?
A vulnerability scan provides an automated list of potential vulnerabilities. A pen test report goes further: it includes evidence of actual exploitation, analysis of attack chains and contextual risk assessment. Only a pen test report shows what an attacker can actually achieve. You can read more about this difference here.
A report in human language makes a difference
The difference between a pen test report that ends up in the drawer and a report that leads to action is in the translation of technology into business language. At Cyberplan, the 22 certified ethical hackers (OSCP, CISSP, CEH, CISM) deliver reports that are technically in-depth for your IT team as well as provided with a clear management summary that even non-technical executives understand. Includes concrete priorities, a remediation roadmap and retest support.
Want to know what your current security level is like? Book a no-obligation introductory meeting and find out how a professional pen test will make your organization stronger.
