Skip to main content

Professional report template

In HTB the machine ends when you’re root. In real life, being root is only 20% of the job. The remaining 80% is explaining why and how to fix it, in language the client understands.
This template is the difference between a CV that says “I solved 50 HTB machines” (rejection pile) and one that says “Full audit of a vulnerable GitLab, with 4-page report and validated remediation code” (technical lead’s desk).

Minimum viable structure

Any audit you want to present as portfolio must have these 4 sections at minimum:
1

Executive summary

1 page. For non-technical director / client. Impact in business language, no jargon.
2

Technical vector

1-2 pages. How entry was gained. Commands, screenshots, request/response.
3

Privilege escalation

1 page. How root / Domain Admin was reached.
4

Remediation

1 page. Exact code block, configuration, priority.

Page 1: Executive summary

The only page the CEO or CISO will read if in a hurry. If this fails, the rest is moot.
Tests of a good executive summary:
  1. Does a non-technical director understand it?
  2. Does it fit on 1 page?
  3. Does it quantify impact in business terms (GDPR, %, user counts)?
  4. Does it give a clear priority order?

Page 2: Technical vector (per finding)

For each critical/medium finding, a card with this fixed structure:

Page 3: Privilege escalation (kill chain)

If the attack has multiple phases (the norm), document the full chain. This separates a junior report from a senior one.

Page 4: Remediation

This is the page they pay for. No actionable remediation, no professional value.

How to compute CVSS without mistakes

CVSS isn’t optional. It’s the common severity currency. Always use the official calculator: first.org/cvss/calculator.

Quick cheatsheet by vector


Translator: tech jargon → business impact


Typical junior report mistakes

⚠️ Instant disqualifiers
If your report contains any of these, it’ll be rejected before finishing the read:
  1. Burp screenshots with unredacted client sensitive data. Tokens, passwords, real internal IPs: redact before including.
  2. “Full system access” without quantifying (how many users, how much data, which tables).
  3. Executive summary full of tech jargon. Your client isn’t an engineer: the executive summary doesn’t contain “buffer”, “stack” or “deserialization”.
  4. Recommending “upgrade to latest version” without verifying that the latest version fixes the flaw. Sometimes it doesn’t.
  5. No reproducible proof of concept. If the dev team can’t reproduce it, they can’t fix it.
  6. Confusing CVSS with business severity. A CVSS 9.8 in an isolated internal system can have less real impact than a 6.1 on the public web. Justify.
  7. No MITRE ATT&CK mapping. In 2026 this is standard.
  8. Passive voice. “It has been found that the system might potentially have”. NO. “Confirmed unauthenticated RCE.” Active, direct, factual.

Downloadable template (Markdown)

Copy this block as base for your reports. Replace [brackets] with your real content.
To see real professional reports for inspiration, visit github.com/juliocesarfort/public-pentesting-reports. 600+ public reports from Cure53, NCC Group, Trail of Bits and others.