Home/ Blog/ Informe de pentesting
Security

Cybersecurity audit:
What you must demand before
hiring a pentest

15 April 2026 · 5 min read Security

When you hire a security audit, the real work doesn't end with the scan — it ends with the report. It is the deliverable that justifies the investment, guides the corrections, and may be required by clients, insurance, or regulators. A bad report can be worse than none at all. Here we explain what a serious one must contain.

Warning sign: If the "report" you are given is just a PDF exported from Nessus or an automated tool with no manual analysis, it is not a pentesting report — it is a scanning report. They are very different things.

Structure of a professional report

A complete pentesting report has two clearly differentiated parts: the executive report (for management and leadership) and the technical report (for the team that will fix the problems).

Part 1
Executive Report
For directors, managers, and non-technical leaders
1
Scope summary

What exactly has been analyzed: domain(s), IPs, applications, time period. The client must be able to verify that what was agreed upon was done.

2
Executive summary of findings

A high-level view of the security status. How many vulnerabilities were found, of what criticality, and what is the overall risk assessment.

3
Criticality distribution chart

Visual showing how many vulnerabilities are Critical, High, Medium, Low, and Informational. Allows understanding the status at a glance.

4
Business impact

Translation of technical findings into real business risk: what data could be compromised, what legal consequences could there be, what operational impact.

5
Priority recommendations

The 3-5 most urgent actions, ordered by impact, so management can allocate resources wisely.

Part 2
Technical Report
For developers, sysadmins, and technical team
1
Methodology used

What standards were followed (OWASP Testing Guide, PTES, OWASP WSTG), what tools were used, and what type of testing was performed (black, gray, or white box).

2
Detailed sheet per vulnerability

The heart of the report. Each finding must have: name and classification (CWE/CVE if applicable), CVSS score, technical description, steps to reproduce, evidence (screenshots, HTTP requests), and impact.

3
CVSS criticality classification

Each vulnerability must have an objective score according to the CVSS v3.1 standard. This allows prioritizing fixes objectively and comparably.

4
Specific remediation plan

Not "update plugins" — but which specific plugin, to which version, which line of code must change. The developer must be able to fix it without further research.

5
Classification by ease of exploitation

How much effort it takes to exploit each vulnerability. Combined with impact, it defines the real urgency of correction.

What sets a good report apart from a bad one

❌ Bad report
  • Only automated tool results
  • No manual validation of findings
  • Generic remediation ("update software")
  • No CVSS or objective prioritization
  • No evidence of real exploitation
  • No follow-up or retest included
✓ Good report
  • Manual + automated analysis
  • Every finding verified and exploited
  • Specific remediation with code
  • CVSS v3.1 per vulnerability
  • Screenshots and requests as evidence
  • Retest included at 30 days

How to read the report if you are not technical

If you are a company manager and receive a pentesting report, this is what you should look at first:

  1. Read the full executive summary — it is written for you.
  2. Look at the criticality distribution. If there are Critical or High vulnerabilities, they are an immediate priority.
  3. For each critical or high finding, read the "business impact" — what could happen if it's not fixed.
  4. Pass the technical report to your development or sysadmin team with the priorities set.
  5. Make sure the report includes a retest — the fix must be verified, not just promised.

This is what the report we deliver at Kodia looks like

Executive + technical report with each finding documented, CVSS Score, real evidence, and specific remediation plan. Retest included in all plans.

View web audit →
Looking for an audit with a real report?

Executive + technical report with real evidence

Every finding documented, verified, and with a specific correction plan. Retest included.

Request audit View pricing