Growth Pentest Report
This is a redacted preview based on a real engagement covering two scopes across 10 calendar days. Identifying details have been replaced with fictional names (company: Acme SaaS, targets: app.acmesaas.io and api.acmesaas.io). Findings, methodology, severity ratings, and remediation guidance reflect the actual work. Sensitive details are marked [REDACTED].
Note on Startup Plan reports: the structure is identical. Startup Plan reports omit the SOC 2 + ISO 27001 compliance mapping section (which is exclusive to the Growth Plan).
Why this is HTML, not a downloadable PDF: You generate the PDF from this page using your browser's Save as PDF. No file download from us, no embedded JavaScript, no tracking pixels. Inspect the source if you want. Everything is served from cybersecify.com.
Growth Pentest Report
Web Application and REST API Security Assessment
Table of Contents
Executive Summary
Cyber Secify Consulting Pvt Ltd was engaged by Acme SaaS Pvt. Ltd. to conduct a grey-box penetration test of their primary SaaS platform and its supporting API infrastructure. The engagement covered two scopes: the web application at app.acmesaas.io (Scope 1) and the REST API at api.acmesaas.io/v2 (Scope 2).
The assessment was performed by a senior team led by Rathnakara GN (OSCP, CompTIA PenTest+) and Ashok S Kamat, following the OWASP Web Security Testing Guide (WSTG) v5.0, OWASP Application Security Verification Standard (ASVS) v4.0.3, and the Penetration Testing Execution Standard (PTES). The testing approach combined manual exploitation with automated scanning, focusing on business logic flaws, privilege escalation, and chained attack scenarios that automated tools typically miss.
Active testing ran from 12 February 2026 to 21 February 2026 across 10 calendar days (7 days web application, 3 days REST API), with reporting prepared concurrently. The v1.0 initial report was delivered on 21 February 2026 at the close of the engagement, in line with the Growth Pentest Plan 10 calendar day commitment. v2.0 captured the post first retest state on 10 March 2026 (11 of 13 findings remediated). This v2.1 final report supersedes v2.0 and reflects the post sanity retest state captured on 21 March 2026 (all 13 findings remediated).
Key Statistics
Business Impact Summary
The most significant risk to Acme SaaS is the combination of an Insecure Direct Object Reference (IDOR) vulnerability in the billing API and a broken authentication flaw in the API token refresh mechanism. Together, these findings mean that any authenticated user on the platform can access billing records belonging to other organisations, and a compromised or expired token can be refreshed indefinitely without re-authentication. For a B2B SaaS platform handling financial transactions, these represent direct threats to customer trust, regulatory compliance, and revenue.
If exploited, the IDOR vulnerability alone could expose the billing records (names, addresses, invoice amounts, partial payment details) of every organisation on the platform. This would likely trigger mandatory breach notification obligations under India's Digital Personal Data Protection Act and, for any EU-based customers, under GDPR. The reputational cost to a SaaS company during a fundraise or enterprise sales cycle could be substantial.
Top 3 Priority Findings
| Priority | Finding | Severity | Why It Matters |
|---|---|---|---|
| 1 | IDOR in Billing API | Critical | Any user can read any other organisation's invoices and payment data. |
| 2 | SQL Injection in Search | Critical | Database extraction possible through the search endpoint. Full data compromise risk. |
| 3 | Broken Auth on Token Refresh | High | Expired API tokens can be refreshed indefinitely, defeating session timeout controls. |
Strategic Recommendation
We recommend Acme SaaS treat the two critical findings as P0 incidents and remediate them before the next production release. The billing API IDOR requires adding server-side organisation-level authorization checks (estimated effort: 2 to 4 hours of engineering time). The SQL injection requires migrating the search endpoint to parameterized queries (estimated effort: 4 to 8 hours). Once these are resolved, the remaining high and medium findings should be addressed within the next two sprint cycles. The compliance evidence package (Section 7) maps all findings to SOC 2 and ISO 27001 controls, which will be directly useful for Acme SaaS's upcoming SOC 2 Type 2 audit preparation.
Scope and Methodology
In-Scope Targets
| Scope | Target | Type | Environment | Testing Window |
|---|---|---|---|---|
| Scope 1 | app.acmesaas.io | Web Application | Staging (full test), Production (read-only validation) | 7 calendar days |
| Scope 2 | api.acmesaas.io/v2 | REST API | Staging | 3 calendar days |
Testing Approach
Grey-box testing was performed with authenticated access. The Acme SaaS engineering team provided two sets of credentials: a standard user account (Member role) and an administrator account (Admin role). This approach simulates both external attacker scenarios (credential compromise, account takeover) and insider threat scenarios (malicious or compromised employee).
Manual testing was the primary method. Automated scanning was used to supplement coverage and identify common misconfigurations, but all critical and high findings in this report were discovered through manual analysis and exploitation. Business logic testing, privilege escalation, and chained-attack scenarios were performed manually.
Methodology and Standards
| Standard | Application |
|---|---|
| OWASP Top 10 (2021) | Primary vulnerability classification framework |
| OWASP ASVS v4.0.3 | Verification standard for security controls testing |
| OWASP API Security Top 10 | API-specific vulnerability classification (Scope 2) |
| PTES (Penetration Testing Execution Standard) | End-to-end engagement methodology |
| Real-world attack simulation | Chained exploits, privilege escalation, lateral movement |
Tools Used
| Tool | Purpose |
|---|---|
| Burp Suite Professional | HTTP interception, manual testing, active scanning |
| Nuclei | Template-based vulnerability scanning |
| ffuf | Directory and parameter fuzzing |
| sqlmap | SQL injection detection and exploitation validation |
| Custom Python scripts | IDOR enumeration, token lifecycle testing, chained exploit automation |
| Nmap | Port scanning and service enumeration |
Out of Scope
Denial-of-service testing, social engineering, physical security assessments, and testing against third-party SaaS integrations (Stripe, AWS Cognito) were excluded from this engagement. All testing followed responsible disclosure practices.
Findings Summary
Each finding is scored under both CVSS v3.1 (for parity with NVD, CISA KEV, and most vendor advisories) and CVSS v4.0 (current FIRST standard since November 2023). Severity bands are identical across both versions. Detailed finding entries include full v3.1 and v4.0 vectors. Scores reflect what the original engagement recorded; vectors are documented for reproducibility against the FIRST CVSS calculator.
Severity Distribution
| Severity | Count | CVSS Range (v3.1 / v4.0) | Remediation Priority |
|---|---|---|---|
| Critical | 2 | 9.0 to 10.0 | Immediate (before next release) |
| High | 3 | 7.0 to 8.9 | Within 1 sprint cycle |
| Medium | 5 | 4.0 to 6.9 | Within 2 sprint cycles |
| Low | 2 | 0.1 to 3.9 | Next quarterly review |
| Info | 1 | 0.0 | Best practice recommendation |
Scope 1 Findings: Web Application (app.acmesaas.io)
Status column reflects v2.1 final state after retest verification. Original v1.0 status for all findings was Open. See Section 6 for full retest history.
| ID | Title | Severity | CVSS v3.1 | CVSS v4.0 | Status |
|---|---|---|---|---|---|
| CS-2026-001 | IDOR in Billing API (Invoice Access) | Critical | 9.1 | 7.2 | Fixed |
| CS-2026-002 | SQL Injection in Search Endpoint | Critical | 9.8 | 9.3 | Fixed |
| CS-2026-003 | Broken Access Control in Admin Panel | High | 8.2 | 8.8 | Fixed |
| CS-2026-004 | Stored XSS in User Profile Bio | High | 7.1 | 7.0 | Fixed |
| CS-2026-005 | CSRF on Email Change Endpoint | Medium | 6.5 | 6.9 | Fixed |
| CS-2026-006 | Insecure Direct Object Reference in File Export | Medium | 5.8 | 5.9 | Fixed |
| CS-2026-007 | Missing Rate Limiting on Login | Medium | 5.3 | 6.9 | Fixed |
| CS-2026-008 | Verbose Error Messages Leaking Stack Traces | Low | 3.1 | 2.3 | Fixed |
| CS-2026-009 | Missing Security Headers (X-Content-Type-Options, CSP) | Info | 0.0 | 0.0 | Fixed |
Scope 2 Findings: REST API (api.acmesaas.io/v2)
Status column reflects v2.1 final state after retest verification. Original v1.0 status for all findings was Open. See Section 6 for full retest history.
| ID | Title | Severity | CVSS v3.1 | CVSS v4.0 | Status |
|---|---|---|---|---|---|
| CS-2026-010 | Broken Authentication on API Token Refresh | High | 7.5 | 8.7 | Fixed |
| CS-2026-011 | Mass Assignment on User Profile Update | Medium | 6.3 | 6.9 | Fixed |
| CS-2026-012 | Excessive Data Exposure in /users Endpoint | Medium | 4.3 | 5.3 | Fixed |
| CS-2026-013 | API Versioning Endpoint Leaks Deprecated Routes | Low | 2.0 | 1.8 | Fixed |
Detailed Findings
Two of 13 findings are shown in full below. The remaining 11 findings follow the same format in the complete report.
IDOR in Billing API (Invoice Access)
Description
The billing API endpoint at /api/v2/billing/invoices/{invoice_id} does not validate that the authenticated user belongs to the organisation that owns the requested invoice. By modifying the invoice_id parameter, an authenticated user from Organisation A can retrieve invoices belonging to Organisation B, including billing addresses, payment amounts, plan details, and partial payment method information.
The vulnerability exists because the server trusts the invoice_id path parameter without checking it against the requesting user's org_id from the JWT token. Invoice IDs follow a sequential pattern (INV-2026-00001, INV-2026-00002, etc.), making enumeration trivial.
Steps to Reproduce
- Authenticate as User A (Organisation: Acme Test Org, Role: Member). Navigate to the Billing section and open any invoice.
- Note the invoice ID in the request URL:
/api/v2/billing/invoices/INV-2026-00142 - Using Burp Suite Repeater, modify the invoice ID to
INV-2026-00098(an invoice belonging to a different organisation). Send the request. - Observe that the API returns a 200 OK response with the full invoice details for the other organisation, including billing name, address, amount, and the last 4 digits of the payment card.
Evidence
GET /api/v2/billing/invoices/INV-2026-00098 HTTP/1.1 Host: api.acmesaas.io Authorization: Bearer eyJ0eXAi...[REDACTED] X-Org-Id: org_acme_test_001 Accept: application/json
{
"invoice_id": "INV-2026-00098",
"org_id": "org_different_company",
"org_name": "[REDACTED]",
"billing_email": "[REDACTED]@company.com",
"amount": 24999.00,
"currency": "INR",
"plan": "Growth Annual",
"payment_method": "**** **** **** 4832",
"billing_address": {
"line1": "[REDACTED]",
"city": "[REDACTED]",
"state": "[REDACTED]",
"postal_code": "[REDACTED]"
},
"status": "paid",
"issued_date": "2026-01-15"
} Business Impact
- PII Exposure: Any authenticated user can enumerate and access invoices of all organisations on the platform, exposing names, addresses, payment amounts, and partial card details.
- Revenue Loss: A data breach of billing information during an active enterprise sales cycle or fundraise could directly impact deal closure and valuation.
- Compliance Violation: Direct violation of data isolation between tenants. Triggers mandatory breach notification obligations under India's DPDP Act and, for EU customers, under GDPR Article 33.
- Reputational Damage: Multi-tenant data leakage is particularly damaging for SaaS platforms, as it undermines the core trust promise to enterprise customers.
- Audit Impact: This finding would be a critical exception in a SOC 2 Type 2 audit and would likely result in a qualified opinion.
Remediation
Implement server-side authorisation checks on the billing API endpoint. The API must verify that the authenticated user's organisation ID matches the organisation associated with the requested invoice before returning any data.
// middleware/authorizeInvoice.js
const authorizeInvoice = async (req, res, next) => {
const invoice = await Invoice.findById(req.params.invoiceId);
if (!invoice) {
return res.status(404).json({ error: "Invoice not found" });
}
// Verify org-level ownership
if (invoice.orgId !== req.auth.organisationId) {
logger.warn("IDOR attempt", {
userId: req.auth.userId,
requestedInvoice: req.params.invoiceId,
userOrg: req.auth.organisationId,
invoiceOrg: invoice.orgId
});
return res.status(403).json({
error: "Forbidden: insufficient permissions"
});
}
req.invoice = invoice;
next();
};
Additionally, migrate from sequential invoice IDs (INV-2026-00098) to UUIDs to reduce enumeration risk. Implement rate limiting on the billing API to detect and block enumeration attempts. Add alerting for unusual patterns of invoice access across organisations.
Compliance Mapping
| Framework | Control | Requirement |
|---|---|---|
| SOC 2 | CC6.1 | Logical access security over protected information assets |
| SOC 2 | CC6.3 | Role-based access and least privilege enforcement |
| ISO 27001 | A.9.4.1 | Information access restriction |
| ISO 27001 | A.14.2.5 | Secure system engineering principles |
Broken Authentication on API Token Refresh
Description
The API token refresh endpoint at /api/v2/auth/token/refresh accepts expired access tokens and issues new ones without validating the associated refresh token's expiry or revocation status. An attacker who obtains a single valid JWT (even after it expires) can indefinitely refresh it to maintain persistent access. The refresh endpoint does not check whether the user's session has been revoked, the password has been changed, or the account has been deactivated.
Steps to Reproduce
- Authenticate as a test user via the login endpoint. Note the access token (expires in 15 minutes) and the refresh token (expected to expire in 7 days).
- Wait for the access token to expire (or manually set the system clock forward). Confirm the access token returns 401 Unauthorized on any protected endpoint.
- Send a POST request to
/api/v2/auth/token/refreshwith the expired access token in the Authorization header and the refresh token in the request body. - Observe that a new access token is issued. Repeat this process after the refresh token's stated 7-day expiry. The endpoint continues to issue new tokens.
- Change the user's password from another session. Attempt the refresh again. The endpoint still issues a valid token for the old session.
Evidence
POST /api/v2/auth/token/refresh HTTP/1.1
Host: api.acmesaas.io
Content-Type: application/json
Authorization: Bearer eyJ0eXAi...[EXPIRED ACCESS TOKEN]
{
"refresh_token": "rt_[REDACTED]...expired_8_days_ago"
} {
"access_token": "eyJ0eXAi...[NEW VALID TOKEN]",
"token_type": "Bearer",
"expires_in": 900
} Business Impact
- Persistent Unauthorized Access: A compromised token (through XSS, log exposure, or man-in-the-middle) grants indefinite API access, even after the user changes their password or the admin revokes their session.
- Session Management Bypass: Session timeout controls (a SOC 2 CC6.1 requirement) are effectively defeated. Auditors will flag this as a control failure.
- Incident Response Gap: During a security incident, revoking user sessions will not actually terminate attacker access if they hold a refresh token.
Remediation
Implement proper refresh token lifecycle management. The refresh endpoint must validate: (1) the refresh token has not expired, (2) the refresh token has not been revoked, (3) the user's password has not changed since the token was issued, and (4) the user account is still active.
async function refreshToken(req, res) {
const { refresh_token } = req.body;
// 1. Validate refresh token exists and is not expired
const storedToken = await RefreshToken.findOne({
token: refresh_token,
expiresAt: { $gt: new Date() },
revoked: false
});
if (!storedToken) {
return res.status(401).json({ error: "Invalid or expired refresh token" });
}
// 2. Verify user account is still active
const user = await User.findById(storedToken.userId);
if (!user || !user.isActive) {
await RefreshToken.revokeAll(storedToken.userId);
return res.status(401).json({ error: "Account deactivated" });
}
// 3. Check if password changed after token was issued
if (user.passwordChangedAt > storedToken.issuedAt) {
await RefreshToken.revokeAll(storedToken.userId);
return res.status(401).json({ error: "Password changed, re-authenticate" });
}
// 4. Rotate: revoke old token, issue new pair
await storedToken.revoke();
const newTokens = generateTokenPair(user);
return res.json(newTokens);
} Compliance Mapping
| Framework | Control | Requirement |
|---|---|---|
| SOC 2 | CC6.1 | Logical access security, session management controls |
| SOC 2 | CC7.2 | Monitoring of system components for anomalies |
| ISO 27001 | A.9.4.1 | Information access restriction |
| ISO 27001 | A.9.2.3 | Management of privileged access rights |
Brand Protection Snapshot
As part of every penetration testing engagement, Cyber Secify Consulting Pvt Ltd performs a Brand Protection Snapshot during the reconnaissance phase. This assessment covers external threats to Acme SaaS's brand and digital identity that fall outside the application scope but directly affect overall security posture and customer trust.
Domain and Typosquatting Analysis
We checked 14 common typosquatting variations of acmesaas.io, including character transpositions, homoglyph substitutions, and TLD variations.
| Domain Checked | Type | Status | Notes |
|---|---|---|---|
| acmesaas.com | TLD Variation | Clean | Registered to Acme SaaS (parked, no content) |
| acmesas.io | Character Omission | Clean | Not registered |
| acmesaas.co | TLD Variation | Flagged | Registered by unknown party on 2025-11-03. Hosting a generic landing page. Recommend acquiring or monitoring. |
| acme-saas.io | Hyphen Insertion | Clean | Not registered |
| acmesaaas.io | Character Repetition | Clean | Not registered |
| acmesaas.in | TLD Variation (India) | Clean | Registered to Acme SaaS (redirects to acmesaas.io) |
| 8 additional variations checked. All clean. Full list in Appendix B. | |||
Leaked Credentials Check
We queried breach databases and dark web marketplaces for credentials associated with acmesaas.io email domains.
| Email Pattern | Breach Source | Date | Data Exposed | Risk |
|---|---|---|---|---|
| [REDACTED]@acmesaas.io | [REDACTED] breach (2024) | Aug 2024 | Email, hashed password | High |
| [REDACTED]@acmesaas.io | [REDACTED] data dump | Mar 2025 | Email, plaintext password | Critical |
Recommendation: Force password resets for the affected accounts immediately. Enforce MFA for all employee accounts. Cross-reference these credentials against internal systems to check for password reuse.
Code Exposure
We scanned public GitHub repositories, GitLab instances, and Pastebin for code or configuration files referencing acmesaas.io.
| Source | Finding | Risk |
|---|---|---|
| GitHub (public repo) | Repository "[REDACTED]/acme-integration-tests" contains a hardcoded API key in .env.example | High |
| GitHub (public gist) | Gist by [REDACTED] contains Acme SaaS staging database connection string | Medium |
| GitLab (public) | No exposure found | Clean |
| Pastebin / paste sites | No exposure found | Clean |
Fake App Detection
We monitored the Google Play Store, Apple App Store, and third-party APK repositories for applications impersonating Acme SaaS.
| Platform | Status | Notes |
|---|---|---|
| Google Play Store | Clean | No impersonating apps found |
| Apple App Store | Clean | No impersonating apps found |
| Third-party APK sites | Clean | No repackaged or trojanized versions detected |
Social Media Impersonation
We scanned LinkedIn, X (Twitter), and Facebook for profiles or pages impersonating Acme SaaS or its founders.
| Platform | Status | Notes |
|---|---|---|
| Clean | Official company page verified. No impersonating pages found. | |
| X (Twitter) | Flagged | Account @acme_saas_support (created Jan 2026) appears to impersonate Acme SaaS customer support. 12 followers. Recommend reporting. |
| Clean | No impersonating pages found |
Retest Results
The Growth Pentest Plan includes two retests on a structured cadence: a full retest within 30 calendar days of the v1.0 initial report (after the first round of remediation), and a sanity retest within 15 calendar days of the full retest (after final fixes). Each retest completes in 1-3 business days on our side, with no extra charge.
First Retest (Full Retest)
The Acme SaaS engineering team remediated 11 of 13 findings. All critical and high findings were addressed except for CS-2026-010 (Broken Authentication on Token Refresh) and CS-2026-013 (API Versioning Endpoint Leaks Deprecated Routes). Both were scheduled for the next sprint.
| ID | Title | Severity | Retest Status | Notes |
|---|---|---|---|---|
| CS-2026-001 | IDOR in Billing API | Critical | Fixed | Org-level auth check added. UUID migration in progress. |
| CS-2026-002 | SQL Injection in Search | Critical | Fixed | Parameterized queries implemented across all search endpoints. |
| CS-2026-003 | Broken Access Control in Admin Panel | High | Fixed | Role-based middleware added to all admin routes. |
| CS-2026-004 | Stored XSS in User Profile Bio | High | Fixed | Input sanitization and CSP header implemented. |
| CS-2026-005 | CSRF on Email Change | Medium | Fixed | CSRF token validation added. |
| CS-2026-006 | IDOR in File Export | Medium | Fixed | Ownership validation added to export endpoint. |
| CS-2026-007 | Missing Rate Limiting on Login | Medium | Fixed | Rate limiter (5 attempts/min) deployed. |
| CS-2026-008 | Verbose Error Messages | Low | Fixed | Generic error responses in production. |
| CS-2026-009 | Missing Security Headers | Info | Fixed | X-Content-Type-Options, CSP, and HSTS headers added. |
| CS-2026-010 | Broken Auth on Token Refresh | High | Open | Token blocklist implementation scheduled for next sprint. |
| CS-2026-011 | Mass Assignment on User Profile | Medium | Fixed | Allowlist-based input filtering applied. |
| CS-2026-012 | Excessive Data Exposure in /users | Medium | Fixed | Response schema trimmed to required fields only. |
| CS-2026-013 | API Versioning Leaks Deprecated Routes | Low | Open | Accepted risk. Documented in risk register. |
Second Retest (Sanity Retest)
The Acme SaaS team deployed fixes for the two remaining open findings. The sanity retest confirmed that both are now resolved.
| ID | Title | Severity | Retest Status | Notes |
|---|---|---|---|---|
| CS-2026-010 | Broken Auth on Token Refresh | High | Fixed | Refresh token rotation and blocklist implemented. Password change now revokes all tokens. |
| CS-2026-013 | API Versioning Leaks Deprecated Routes | Low | Fixed | Deprecated v1 routes removed from production API gateway. |
Compliance Evidence Package
The tables below map all pentest findings to relevant SOC 2 and ISO 27001 controls. This section is formatted for direct inclusion in your audit evidence package. Hand these tables to your auditor as evidence of penetration testing, findings, and remediation.
SOC 2 Control Mapping
| Control ID | Control Name | Findings Mapped | Evidence Status |
|---|---|---|---|
| CC6.1 | Logical Access Security | CS-2026-001, CS-2026-003, CS-2026-010 | All Remediated |
| CC6.3 | Role-Based Access and Least Privilege | CS-2026-001, CS-2026-003, CS-2026-006 | All Remediated |
| CC6.6 | System Boundaries and Network Security | CS-2026-002, CS-2026-007 | All Remediated |
| CC7.2 | Monitoring of System Components | CS-2026-010, CS-2026-008 | All Remediated |
| CC8.1 | Change Management | CS-2026-004, CS-2026-005, CS-2026-011 | All Remediated |
ISO 27001 Control Mapping
| Control ID | Control Name | Findings Mapped | Evidence Status |
|---|---|---|---|
| A.9.4.1 | Information Access Restriction | CS-2026-001, CS-2026-003, CS-2026-006, CS-2026-010 | All Remediated |
| A.9.2.3 | Management of Privileged Access Rights | CS-2026-003, CS-2026-010 | All Remediated |
| A.13.1.1 | Network Controls | CS-2026-002, CS-2026-007 | All Remediated |
| A.12.4.1 | Event Logging | CS-2026-008, CS-2026-010 | All Remediated |
| A.14.2.2 | System Change Control Procedures | CS-2026-004, CS-2026-005, CS-2026-011 | All Remediated |
Appendix
A. Tools
Each engagement records the exact tool versions in use at the time. Versions vary by engagement and are captured in the live report shared with the client. The list below covers the tools we routinely use during a Growth Pentest Plan engagement.
| Tool | Purpose |
|---|---|
| Burp Suite Professional | HTTP proxy, manual testing, active scanning |
| Nuclei | Template-based vulnerability scanning |
| ffuf | Directory and parameter fuzzing |
| sqlmap | SQL injection validation |
| Nmap | Port scanning and service enumeration |
| Custom Python scripts | IDOR enumeration, token lifecycle testing |
| Subfinder | Subdomain enumeration |
B. Testing Team Credentials
| Assessor | Role | Credentials |
|---|---|---|
| Rathnakara GN | Lead Assessor | OSCP, CompTIA PenTest+, Masters of Science in Cyber Security |
| Ashok S Kamat | Engagement Lead | Domain expertise across CTI, compliance, and client delivery |
| Cybersecify Team | Supporting Capabilities | CISSP, CEH, ISO 27001 Lead Auditor, CREST |
C. Report Distribution
| Recipient | Role | Access Level |
|---|---|---|
| [REDACTED] | CTO, Acme SaaS | Full Report |
| [REDACTED] | VP Engineering, Acme SaaS | Full Report |
| [REDACTED] | CEO, Acme SaaS | Executive Summary Only |
| [REDACTED] | External Auditor | Compliance Evidence Package Only |
D. Glossary
| Term | Definition |
|---|---|
| IDOR | Insecure Direct Object Reference. A vulnerability where the application exposes internal object identifiers without proper authorization checks. |
| CVSS | Common Vulnerability Scoring System. An industry standard for rating the severity of security vulnerabilities on a 0 to 10 scale, maintained by FIRST. CVSS v3.1 (released 2019) remains widely used by NVD, CISA KEV, and most vendor advisories. CVSS v4.0 (released November 2023) introduces Attack Requirements (AT), separates Vulnerable System (VC/VI/VA) from Subsequent System (SC/SI/SA) impacts, and replaces the v3.x Scope metric. Both versions use identical severity bands. |
| CWE | Common Weakness Enumeration. A categorization system for software security weaknesses maintained by MITRE. |
| Grey-box Testing | A testing approach where the assessor has partial knowledge of the system (e.g., authenticated access) but not full source code access. |
| OWASP ASVS | Application Security Verification Standard. A framework of security requirements and controls for web application security testing. |
| PTES | Penetration Testing Execution Standard. A methodology defining the phases and procedures for conducting penetration tests. |
| SOC 2 | Service Organization Control 2. An auditing framework for service providers that evaluates security, availability, processing integrity, confidentiality, and privacy controls. |
| JWT | JSON Web Token. A compact token format used for securely transmitting information between parties as a JSON object. |
Disclaimer
Penetration testing is inherently limited by the scope, time, and resources allocated to the engagement. Therefore, no individual or organization can guarantee identifying all security issues. The testing we performed is conducted on a best-effort basis, and the findings reported herein are specific to the environment provided for testing.
The dynamic nature of technology and the constant evolution of new attack techniques mean that security assessments can only provide a snapshot of the current security posture.
Limitations of Testing
The reported findings apply exclusively to the tested environment and configurations during testing. Information systems rely on human factors and can be inherently vulnerable to human error. While we have endeavoured to identify significant security vulnerabilities in the analysed applications, it is impossible to assure that all potential vulnerabilities have been discovered.
Scope of Findings
The recommendations provided are based on the information, technologies, and known threats as of the date of this report. As technologies and risks evolve, so will the nature of vulnerabilities and the necessary mitigation measures.
Continued Vigilance
Security is an ongoing process. Regular assessments and updates to security measures are essential to maintaining a strong security posture. We recommend periodic penetration testing and continuous monitoring to adapt to new threats and vulnerabilities.
By accepting this report, you acknowledge the testing's inherent limitations and understand the necessity of ongoing security vigilance.
Note: This sample report is based on a Growth Pentest Plan engagement (2 scopes, 10 calendar days). It includes SOC 2 + ISO 27001 compliance mapping, 2 retests, and real-world attack simulation. The Startup Pentest Plan (1 scope, 7 calendar days) follows the same report structure and methodology but covers a single scope without compliance mapping. View plan details.
End of Report
What Makes Our Reports Different
Most pentest reports are either too generic to act on or too technical for leadership. Ours are designed for both audiences.
Engineer-Friendly Findings
Every finding includes exact reproduction steps, HTTP request/response evidence, and code-level remediation. Your developers can fix issues without scheduling a follow-up call.
Compliance-Ready Format
Each finding maps to SOC 2 and ISO 27001 controls. Hand the report directly to your auditor as evidence of testing and remediation.
Business Impact Statements
Technical severity alone does not convey risk. Every finding includes a plain-language business impact section that CTOs and founders can use to prioritize with their team.
Fix Guidance, Not Just Descriptions
We do not stop at "this is broken." Every finding includes specific remediation steps, recommended code patterns, and configuration changes to resolve the issue.
Ready to See Your Own Report?
Get a pentest quote, or start with 4 hours of founder-led security work to scope your needs first.