Vamos Labs
Deliverable

External Penetration Test Report

Every engagement concludes with a formal report — written for engineers, summarised for the board, accepted by auditors.

finding-F-001.md
HIGHCVSS 7.4F-001

Reflected XSS in /search via `q` parameter

Affected
https://example.com/search?q=
Reproduction
GET /search?q=<svg/onload=alert(1)> HTTP/1.1
Host: example.com
Business impact
Attacker-controlled JavaScript executes in the victim's browser in the application's origin, enabling session theft and account takeover against any authenticated user who follows a crafted link.
Remediation
Apply context-aware HTML entity encoding to the `q` parameter before render, and enforce a strict Content-Security-Policy that disallows inline scripts.
Severity breakdown (example)
Critical
1
High
3
Medium
5
Low
2
Each finding is scored with a full CVSS v3.1 vector string and adjusted for your environment where justified.

Report structure

Eight sections, built for both your security team and your auditors.

01
Executive Summary

One page. Plain English. A non-technical decision-maker should be able to read this and understand what was tested, how bad it is, and what to do about it.

02
Scope & Rules of Engagement

In-scope assets, out-of-scope exclusions, testing window, allowed techniques, and written authorisation record.

03
Methodology

Six-phase engagement structure aligned with PTES and OWASP WSTG, including the CVSS v3.1 rating methodology used for every finding.

04
Findings Summary

A table of every finding with ID, title, severity, CVSS score, and affected asset — at-a-glance prioritisation for your engineering team.

05
Detailed Findings

Per-finding: severity, CVSS vector, affected asset, description, business impact, reproduction steps, evidence, remediation, and references.

06
Attack Narrative

Prose walkthrough of the most interesting attack chain found — written so a non-technical reader can follow it.

07
Remediation Roadmap

Prioritised fix list with effort estimates and recommended timelines (immediate / 30 days / 90 days).

08
Appendices

Tools used with versions, engagement timeline, evidence index, and a glossary of terms for non-technical readers.

Request the full sample

A redacted sample External Penetration Test Report, sent under NDA on request.