Features

Pentest Reports

Overview

Pensar automatically generates comprehensive penetration testing reports for every pentest. These professional pentest reports fulfill standard compliance requirements (SOC 2, ISO 27001, PCI DSS, etc.) and provide the security testing documentation needed for audits, customer security questionnaires, and insurance requirements.

Reports are automatically emailed to you when they’re ready and can be accessed anytime in the Pensar Console.

Report Generation

Reports are generated automatically at the completion of each pentest:

1

Scan Completion

When your pentest completes, Pensar begins the report generation process automatically.

2

Data Aggregation

The AI agent aggregates all pentest data:

  • Vulnerability findings with severity levels
  • Attack surface mapping results
  • Proof-of-concept exploits
  • Reconnaissance activities
  • Remediation recommendations
3

PDF Creation & Delivery

The report is converted to PDF format and:

  • Emailed to all workspace members
  • Stored in the Pensar Console for download
  • Available for sharing with auditors or stakeholders

Report generation typically takes 5-15 minutes depending on the number of findings and complexity of the pentest.

Report Structure

Each pentest report follows a comprehensive structure designed for both technical and non-technical audiences:

Table of Contents

Quick navigation to all report sections with page numbers.

Executive Summary

High-level overview for stakeholders including:

  • Overall Risk Assessment: Summary of security posture
  • Key Findings: Critical and high-severity vulnerabilities
  • Statistics: Total findings by severity level
  • Business Impact: Potential consequences of identified vulnerabilities
  • Recommendations: Strategic security improvements

The executive summary is written in non-technical language suitable for executives, compliance officers, and business stakeholders.

Test Information

Detailed metadata about the pentest:

  • Project and workspace details
  • Scan duration and timing
  • Testing methodology (blackbox vs. whitebox)
  • Repository information (if applicable)
  • Branch or commit tested

Attack Surface Overview

Comprehensive mapping of tested assets:

  • Domains: All domains included in testing
  • Endpoints: Discovered and tested API endpoints
  • Applications: Web applications and services
  • Technologies: Detected technology stack

Vulnerability Details

For each finding, the report includes:

Affected Code (for whitebox scans):

  • Exact file paths
  • Line numbers
  • Code snippets showing vulnerable code
  • Data flow analysis

Proof-of-Concept:

  • Working exploit demonstration
  • HTTP requests and responses
  • Command-line examples
  • Screenshots when applicable

Remediation:

  • Specific code changes required
  • Before/after code examples
  • Security best practices
  • Testing recommendations

References:

  • CWE classification
  • OWASP mapping
  • CVE references (if applicable)
  • Additional security resources

Testing Methodology

Documentation of the testing approach:

  • Reconnaissance techniques
  • Testing tools and methods
  • Coverage areas
  • Testing constraints or limitations

Remediation Summary

Prioritized list of all recommended fixes:

  • Quick reference table of all findings
  • Priority order for remediation
  • Estimated remediation effort
  • Dependencies between fixes

Conclusion

Final assessment including:

  • Overall security posture
  • Improvement trends (if applicable)
  • Strategic security recommendations
  • Next steps

SOC 2 Compliance

Pensar pentest reports are designed to satisfy SOC 2 audit requirements:

CC6.1 – Logical Access Controls

Ensures only authorized users can access systems and data through enforced least-privilege and access-control processes.

CC7.1 – Security Event Monitoring

Requires ongoing monitoring and alerting to identify anomalous activity or unauthorized system access.

CC7.2 – Change Detection & Change Management

Ensures changes to systems are reviewed, tested, approved, and tracked to reduce security risks.

CC7.3 – Incident Response

Requires a documented, repeatable process for detecting, investigating, and remediating security incidents.

Audit Trail

Reports include comprehensive audit trails:

  • Exact date and time of security testing
  • Scope of testing (domains, endpoints, code)
  • Findings with unique identifiers
  • Remediation status and timeline
  • Verification of fixes

Reports provide auditors with clear evidence that security testing is performed regularly and vulnerabilities are identified and remediated systematically.

Human Sign-Off

For organizations requiring manual review and certification of pentest reports, Pensar offers professional sign-off services:

To request a human-reviewed and signed pentest report, email team@pensarai.com

Sign-Off Service Includes:

1

Expert Review

A certified pentester reviews your automated pentest report for:

  • Accuracy of findings
  • Completeness of testing
  • Validity of proof-of-concepts
  • Quality of remediation recommendations
2

Additional Testing

If needed, manual validation of:

  • Complex business logic vulnerabilities
  • Edge cases requiring human judgment
  • Sophisticated attack chains
3

Professional Certification

The report is updated to include:

  • Professional pentester’s signoff
  • Certification statement
  • Engineer credentials and qualifications
  • Date of review and approval
4

Delivery

You receive an officially signed PDF report suitable for:

  • SOC 2 audits
  • Compliance requirements
  • Customer security questionnaires
  • Insurance requirements

Human sign-off services typically take 2-5 business days depending on report complexity and current demand.

Next Steps

Whitebox Testing

Learn how whitebox testing generates comprehensive pentest reports with code-level details.

Blackbox Testing

Understand blackbox pentest reports and external security assessments.

Auto-Remediation

Discover how reports integrate with automated vulnerability fixing.

Attack Surface Mapping

See how attack surface data feeds into comprehensive pentest reports.