Skip to content
BastionSec
Contact us
Proof · anonymized report

A report that holds up. See it before you trust us.

This is a real penetration test report, anonymized: no data traceable to any client. It shows how we work and what we deliver, because the best proof is the deliverable itself.

Request a pentest

Why we show it to you

A technical buyer doesn't trust promises: they trust a report that holds up in front of their auditor. This sample is anonymized to respect confidentiality, the same we apply to your data, but the rigor and format are identical to the real thing.

What's inside

pentest-report-sample.pdf

anonymized
  • BastionSec: Penetration Test Report (SAMPLE / ANONYMIZED)
  • Scope: web application + API, grey-box
  • Methodology: OWASP · PTES · NIST 800-115
  • 1. Executive summary ............................... p.2
  • 2. Scope & methodology ............................. p.4
  • 3. Findings (by CVSS severity) ..................... p.6
  • - F-01 [HIGH] CVSS 7.x Broken access control
  • - F-02 [MEDIUM] CVSS 5.x Security misconfiguration
  • - F-03 [LOW] CVSS 3.x Information disclosure
  • 4. Proof of Concept (sanitized) .................... p.11
  • 5. Remediation (by priority) ....................... p.15
  • 6. Retest results .................................. p.18
Demonstration preview. Data, names, hosts, IPs and screenshots are removed or fictional. No reference to any real client.

  • Executive summary

    Risk in one page, readable by a non-technical decision-maker.

  • Scope and methodology

    What was tested, with which approach (black/grey/white-box) and methodology (OWASP, PTES, NIST 800-115).

  • Findings with CVSS severity

    Each vulnerability with CVSS score, evidence and impact. Severity always with label and icon, never color alone.

  • Proof of Concept (PoC)

    Reproducible proof of the issue, safely and responsibly.

  • Remediation

    What to fix, by priority, not just what's broken.

  • Retest

    Verification after fixes: the report doesn't close until risk is genuinely reduced.

One finding, the way we write it

Sample structure (not real data).

Severity: HighCVSS 7.x
Title
Broken access control (example)
Component
API endpoint (generic)
Description
An authenticated user can access another user's resources by changing an identifier in the request.
Evidence / PoC
Sanitized demonstration request, reproducible in a controlled environment.
Remediation
Server-side authorization checks on every resource; object ownership checks.
Retest status
To verify after fixes

This is a one-off test. Security is a state.

With a retainer we test periodically and keep the proof alive in your Trust Center.

Request a pentest