BetaWe're currently in beta. Signing in will place you on our waitlist.
Reports, Blockchain & Trust

PDF Reports

Why the Report Matters More Than the Scan

A penetration test without a clear report is just a list of technical observations. The report is the deliverable — the artifact that security teams present to executives, compliance auditors, and engineering leads. TurboPentest generates PDF reports designed to serve all three audiences in a single document.

Every report follows a consistent structure that separates strategic context from technical detail. This ensures that a CISO can read the first three pages and understand the risk posture, while a developer can jump to a specific finding and get the exact retest command to verify their fix.

Report Structure

Cover Page and Metadata

The cover page includes the target domain, scan date, tier (Standard, Pro, or Blitz), and a unique report identifier. This identifier ties the report to its blockchain attestation, which is covered in Module 4. The metadata section captures the scan configuration: which Phase 1 tools ran, which P4L4D1N agents were deployed, total scan duration, and whether source code was included.

Executive Summary

The executive summary is written for non-technical stakeholders. It answers three questions in plain language: What did we test? What did we find? What should you do first?

The summary includes a risk rating (Critical, High, Medium, Low) based on the most severe validated finding. It provides a one-paragraph narrative describing the overall security posture and highlights the top three findings by business impact — not just technical severity. A finding that enables customer data exfiltration ranks higher than a missing HTTP header, even if both have the same CVSS score.

TurboPentest's AI generates the executive summary by analyzing all validated findings, their exploit chains, and the target's context. This produces a narrative that reads like a human consultant wrote it, because the same reasoning engine that found the vulnerabilities also understands their business implications.

Threat Model Overview

The threat model section maps validated findings to attack scenarios. Rather than presenting vulnerabilities as isolated items, TurboPentest groups them into attack paths — sequences of steps an attacker could take to achieve a specific objective.

For example, if P4L4D1N found an IDOR vulnerability, a weak session token, and an admin endpoint with no rate limiting, the threat model shows how an attacker could chain these: enumerate user IDs via the IDOR, brute-force an admin session using the weak tokens, and access the admin panel without rate limiting blocking the attempt.

Each attack path includes a likelihood assessment (based on exploit complexity and required attacker skill) and an impact assessment (based on the data or access the attacker would gain). This gives risk-based prioritization that goes beyond individual CVSS scores.

Technical Findings

Each finding in the technical section follows a standardized template:

  • Title and Severity — A descriptive title with CVSS v3.1 score and severity label
  • Description — What the vulnerability is and why it matters
  • Evidence — HTTP requests, responses, screenshots, or code snippets that prove the finding
  • Proof of Concept — The exact steps P4L4D1N used to validate the exploit
  • Impact — What an attacker could achieve by exploiting this vulnerability
  • Remediation — Specific code changes, configuration updates, or architectural recommendations
  • Retest Command — A Docker one-liner that teams can run to verify their fix works
  • References — Links to CWE entries, OWASP guidance, and relevant CVEs

Findings are sorted by severity (Critical first), then by exploitability. Each finding has a unique fingerprint used for finding continuity tracking across repeat pentests.

Finding Continuity Section

For targets that have been scanned before, the report includes a continuity section showing which findings are new, which persist from previous scans, and which have been resolved. This trending data is invaluable for demonstrating security improvement over time to auditors and board members.

Appendices

The appendices contain raw tool output from Phase 1, full P4L4D1N agent logs (for Blitz tier), and the complete list of tests performed. This ensures full transparency — nothing is hidden behind the AI's summarization.

PDF Generation Pipeline

TurboPentest renders reports using a headless PDF generation pipeline. The report content is first assembled as structured data (JSON), then rendered through a React-based template engine that produces consistent formatting, branding, and layout. The final PDF is rendered server-side and stored encrypted at rest.

The pipeline supports customizable branding for teams that want their company logo and color scheme on the report. This is configured at the team level and automatically applied to all reports generated under that team.

Report Retention and Access

Reports are stored for the duration of the team's subscription. Each report is accessible from the scan detail page and can be re-downloaded at any time. Reports are also linked to their blockchain attestation, which persists independently — even if the report file is deleted, the attestation proving its contents remains on-chain.

Previous

Course 5: Reports, Blockchain Verification & Trust

Next

Report Password Protection

On this page