Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
The report is what the client buys. Findings should be: prioritised (CVSS or similar severity), reproducible (exact steps), and actionable (what to fix, how). A great report changes behaviour; a bad report becomes a PDF in a drawer. Senior testers spend ~30% of engagement time writing.
Finding template: title, severity (CVSS v3.1 with vector), CWE, summary (1 paragraph), reproduction (steps + screenshots), impact (what the attacker gains), recommendation (specific fix), references (CVE / RFC / OWASP). Executive summary at top with risk-bucket counts.
Use these three in order. Each builds on the one before.
In one paragraph, describe a high-quality pentest report.
Walk me through writing one finding from observation to recommendation.
Design a report template tuned for executive readers + dev readers + auditors.