Professional report template
In HTB the machine ends when you’re root. In real life, being root is only 20% of the job. The remaining 80% is explaining why and how to fix it, in language the client understands.This template is the difference between a CV that says “I solved
50 HTB machines” (rejection pile) and one that says “Full audit of
a vulnerable GitLab, with 4-page report and validated remediation
code” (technical lead’s desk).
Minimum viable structure
Any audit you want to present as portfolio must have these 4 sections at minimum:1
Executive summary
1 page. For non-technical director / client. Impact in business
language, no jargon.
2
Technical vector
1-2 pages. How entry was gained. Commands, screenshots,
request/response.
3
Privilege escalation
1 page. How root / Domain Admin was reached.
4
Remediation
1 page. Exact code block, configuration, priority.
Page 1: Executive summary
The only page the CEO or CISO will read if in a hurry. If this fails, the rest is moot.Page 2: Technical vector (per finding)
For each critical/medium finding, a card with this fixed structure:Page 3: Privilege escalation (kill chain)
If the attack has multiple phases (the norm), document the full chain. This separates a junior report from a senior one.Page 4: Remediation
This is the page they pay for. No actionable remediation, no professional value.How to compute CVSS without mistakes
CVSS isn’t optional. It’s the common severity currency. Always use the official calculator: first.org/cvss/calculator.Quick cheatsheet by vector
Translator: tech jargon → business impact
Typical junior report mistakes
⚠️ Instant disqualifiers
If your report contains any of these, it’ll be rejected before
finishing the read:
- Burp screenshots with unredacted client sensitive data. Tokens, passwords, real internal IPs: redact before including.
- “Full system access” without quantifying (how many users, how much data, which tables).
- Executive summary full of tech jargon. Your client isn’t an engineer: the executive summary doesn’t contain “buffer”, “stack” or “deserialization”.
- Recommending “upgrade to latest version” without verifying that the latest version fixes the flaw. Sometimes it doesn’t.
- No reproducible proof of concept. If the dev team can’t reproduce it, they can’t fix it.
- Confusing CVSS with business severity. A CVSS 9.8 in an isolated internal system can have less real impact than a 6.1 on the public web. Justify.
- No MITRE ATT&CK mapping. In 2026 this is standard.
- Passive voice. “It has been found that the system might potentially have”. NO. “Confirmed unauthenticated RCE.” Active, direct, factual.
Downloadable template (Markdown)
Copy this block as base for your reports. Replace[brackets]
with your real content.
Related resources
- Tactical glossary — How to write the technical section of each vuln.
- Professional methodology — MITRE ATT&CK, PTES phases.
- Learning resources — Teaching platforms and reference books.
- Web recon — How to enumerate without firing the WAF.