What is the structure of a pentest report?

A professional pentest report includes: 1) Cover page, 2) Executive Summary (non-technical), 3) Scope and methodology, 4) Findings with CVSS scoring, 5) Remediation recommendations, 6) Appendices with evidence and commands used.

Pentest Report — Structure, Templates & Tips 2026

Q: How long does it take to write a pentest report?

A pentest report takes an average of 6 to 20 hours depending on the scope. A simple web application pentest: 4 to 8 hours. A full network pentest with Active Directory: 15 to 25 hours. With real-time documentation during the engagement, this can be reduced by 60 to 80%.

Q: What tool should I use to write a pentest report?

Popular tools include: Pentest Mindmap (real-time documentation + AI report generation), SysReptor (open source), Dradis (collaboration), Ghostwriter (agencies). Pentest Mindmap lets you document findings during the pentest and automatically generates the PDF report.

Q: Does the OSCP report need to be in English?

Yes, the OSCP report must be written in English. OffSec provides an official template in Word/LibreOffice format. The report must document each compromised machine with exploitation steps and screenshots (local.txt and proof.txt flags).

1. Why pentest report writing takes so long

The report is often the most time-consuming part of a penetration test. For a 3-day engagement, an experienced pentester typically spends:

40%

of total engagement time on reporting

12h

average report writing time

for an OSCP report

The root cause: documentation happens after hacking. All the context — the exact commands, the exploitation chain, the impact — lives in the pentester's memory and degrades fast. Reconstructing an exploitation 48 hours later is the main source of wasted time.

⚠️ The core problem: When you document after the fact, you spend hours reconstructing what you already did. Screenshots get renamed, terminal history gets overwritten, and the flow of the exploitation chain gets fuzzy.

2. Complete pentest report structure

A professional penetration testing report follows a standardized structure. Here are the required and recommended sections:

Required

1. Cover Page

Client name, project name, date, document version, classification (CONFIDENTIAL), pentester and client contact details.

Required

2. Table of Contents

Navigation for reports over 10 pages.

Required

3. Executive Summary

2–4 pages. Written for non-technical decision-makers: overall risk rating, number of criticals, business impact, priority recommendations. No technical jargon.

Required

4. Scope & Methodology

IPs and domains tested, engagement dates, test type (black/grey/white box), frameworks used (OWASP, PTES, MITRE ATT&CK), tools employed.

Required

5. Vulnerability Summary

Summary table: finding count by severity (critical, high, medium, low, informational). Chart recommended.

Required

6. Detailed Findings

One entry per vulnerability: title, severity, CVSS score, description, proof of concept, business impact, remediation recommendation. The longest section.

Recommended

7. Prioritized Remediation Plan

Vulnerabilities ranked by fix priority: critical first, quick wins vs architectural changes.

Recommended

8. Appendices

Raw logs, full commands used, additional screenshots, CVE and OWASP references, glossary.

3. Writing the Executive Summary

The Executive Summary is the most-read section — and the most often poorly written. It targets the CISO, CTO, or CEO — not the security team.

What it must include

Overall risk rating — a synthetic assessment (critical / high / medium / acceptable)
Top 3–5 critical issues — in business language, not technical terms
Business impact — customer data breach, service outage, reputational damage
Priority recommendations — what must be fixed urgently
Overall security posture — comparison to industry best practices

What it must NOT include

Commands used during the test
Technical exploit details
Raw CVE numbers and CVSS vectors
IP addresses and hostnames

💡 Readability test: Your Executive Summary should be understandable by someone with no cybersecurity background. If your HR director can read it and grasp the essentials, it's well-written.

4. Documenting findings with CVSS

Each vulnerability must be documented with consistent detail. Here is the professional standard:

Standard finding template

Title — Concise and descriptive: "SQL Injection on /login form"
Severity — Critical / High / Medium / Low / Informational
CVSS v3.1 Score — Numeric score (0–10) with full vector string
CVE — If applicable (for known vulnerabilities)
Description — What it is, how it works, why it's dangerous
Proof of Concept (PoC) — Reproduction steps + screenshot
Business Impact — What an attacker can concretely achieve
Remediation — How to fix it, with references (OWASP, CWE, vendor docs)

CVSS Severity Grid

Severity	CVSS Score	Recommended Remediation Time	Example
Critical	9.0 – 10.0	24 to 72 hours	Unauthenticated RCE, SQLi with DBA access
High	7.0 – 8.9	1 to 2 weeks	LFI reading /etc/passwd, internal SSRF
Medium	4.0 – 6.9	1 month	Stored XSS, IDOR, clickjacking
Low	0.1 – 3.9	3 months	Missing security headers, version disclosure
Informational	0.0	Next iteration	Weak password policy, banner grabbing

5. Templates by certification

Each pentesting certification has its own report format. Here are the 4 main templates:

OSCP OffSec — Official Word/ODT template. Sections: compromised machines, exploitation steps, flags (local.txt / proof.txt), mandatory screenshots.

PNPT TCM Security — Free format but structured. Executive Summary, CVSS findings, Active Directory Compromise Summary required.

CPTS (HTB) HackTheBox — Full professional pentest report. Scope, methodology, and detailed findings required.

Standard Client pentest — Adapt to client needs. Always include: executive summary, CVSS findings, prioritized recommendations.

6. Common mistakes to avoid

Executive Summary too technical — Mentioning "buffer overflow" in the section meant for the CEO
No remediation priority — Listing 20 findings without saying where to start
Findings without business impact — "Stored XSS found" without explaining what an attacker can do
Unreadable screenshots — Too small, unannotated, no context
Irreproducible PoC — Incomplete exploitation steps, missing commands
No proof of impact — Claiming root access without showing id or the flag
Client data from previous engagement — Always clean document metadata before delivery

7. How to reduce writing time by 80%

The key: document during the pentest, not after. Pentest Mindmap is built around this principle — AI assists you from the first command to the final PDF.

The AI-assisted pentest workflow

🗺️

AI suggests commands for each phase

→

📝

Document findings in real-time

→

🤖

AI fills CVSS, severity & description

→

📄

Report auto-generated when done

Phase 1 — Command guidance: 11,600+ commands organized by pentest phase. AI suggests what to run next based on your current stage.
Phase 2 — Real-time documentation: Each executed command, its output, and screenshots are captured immediately with context.
Phase 3 — AI-assisted scoring: AI auto-fills CVSS score, severity rating, and finding description for each vulnerability.
Phase 4 — Automatic report: When the pentest is done, the report is done. PDF export with your chosen template (OSCP, PNPT, CPTS, Standard).

✨

AI-assisted from first command to final report

Pentest Mindmap guides you through each phase with 11,600+ commands, documents your findings in real-time, and auto-generates the PDF report. The report is ready when the pentest is.

Try it free →

8. FAQ

How long does it take to write a pentest report?

On average: 4–8h for a simple web/API pentest, 8–15h for an internal network pentest, 15–25h for a full engagement with Active Directory, and 4–6h for an OSCP exam report (24h deadline). With real-time documentation, cut these by 60–80%.

What tool should I use to write a pentest report?

For solo pentesters and students: Pentest Mindmap (real-time docs + AI generation). For teams: Dradis or SysReptor. For agencies: Ghostwriter. Microsoft Word/LibreOffice for OSCP submissions.

Does the OSCP report need to be in English?

Yes. OffSec requires the OSCP report in English. They provide an official template. Submit as PDF within 24 hours of the exam ending via the OffSec portal.

How do I prove a vulnerability in the report?

Each finding needs a reproducible proof of concept: exact commands used, the output obtained, and a screenshot showing the successful exploitation. For privilege escalation, the screenshot must show whoami or id with hostname context.

📚 Related resources

How to Start Pentesting — From zero to your first penetration test: tools, methodology, certifications
OSCP Cheatsheet — Commands, techniques and tips for the OSCP exam
Pentesting Cheatsheet — 200+ essential commands organized by phase
Cybersecurity Glossary — CVSS, CVE, OWASP, RCE, LPE and 60+ terms defined

Stop spending nights writing reports

AI guides you through every pentest phase with 11,600+ commands.
Document findings in real-time. Get the report automatically when you're done.

Free 7-day Trial →

11,600+ commands · 4 report templates · AI-assisted from start to finish