BetaWe're currently in beta. Signing in will place you on our waitlist.
Reports, Blockchain & Trust

Verification Links

The Last Mile of Trust

Blockchain attestation creates a tamper-proof record of a pentest report. But attestation is only useful if the people who need to verify it can actually do so. An auditor reviewing your SOC 2 compliance does not want to install a crypto wallet, navigate a block explorer, or compute SHA-256 hashes by hand. Verification links bridge this gap by providing a simple, shareable URL that guides anyone through the verification process.

A verification link is a unique URL that points to TurboPentest's public verification page for a specific report attestation. When someone visits the link, they see:

  • Report metadata — Target domain, scan date, tier, and report identifier
  • Attestation status — Whether the report has been anchored on-chain and the current verification state
  • Hash details — The SHA-256 hash of the original report
  • Blockchain proof — The Merkle proof, Merkle root, Base L2 transaction hash, and block number
  • Verification result — A clear pass/fail indicator showing whether all cryptographic checks succeeded

The verification page does not display any report contents. An auditor can confirm that a pentest was conducted on a specific date with a specific result hash without seeing the findings themselves. This separation is critical — the organization controls who sees the actual report, while verification of its existence and integrity is shareable.

Verification links are generated automatically when a report's attestation is anchored on Base L2. The link becomes available on the scan detail page and can be copied by any team member with access to the scan.

Each verification link contains a unique token that maps to the report's attestation record. The token is a cryptographically random identifier — it cannot be guessed, and knowing one report's verification link does not reveal links for other reports.

The link format follows:

https://turbopentest.com/verify/{attestation-token}

This URL is stable and permanent. As long as TurboPentest operates, the verification link will resolve. The on-chain attestation itself persists independently on Base L2, so even if TurboPentest's verification page were unavailable, the raw blockchain data could be used for manual verification.

The Verification Process

When an auditor or customer visits a verification link, the system performs these steps automatically:

Step 1: Attestation Lookup

The attestation token is resolved to the report's attestation record, which contains the report hash, Merkle proof, Merkle root, and Base L2 transaction hash.

Step 2: On-Chain Root Retrieval

The system reads the Merkle root from the Base L2 transaction using the stored transaction hash. This confirms that the root was actually written to the blockchain and retrieves the on-chain timestamp.

Step 3: Merkle Proof Verification

The system verifies the Merkle proof by computing the path from the report hash to the Merkle root using the sibling hashes. If the computed root matches the on-chain root, the proof is valid.

Step 4: Result Display

The verification page displays all details and a clear result:

  • Verified — The report hash is included in the on-chain Merkle root. The report existed in this exact form at the attested time.
  • Failed — The Merkle proof does not match. This could indicate data corruption or an invalid attestation token.
  • Pending — The report's attestation batch has not yet been anchored on-chain (attestation runs on a scheduled cadence).

Verification links are designed for different audiences:

For Auditors

When an auditor requests evidence that a penetration test was conducted, you share three things: the PDF report, the report password, and the verification link. The auditor can:

  1. Open the report with the password to review findings
  2. Compute the SHA-256 hash of the PDF themselves (using any standard tool like sha256sum)
  3. Visit the verification link to confirm the hash matches the on-chain attestation
  4. Optionally verify the Base L2 transaction directly using a block explorer

This proves that the report they are reading is the same report that was attested on-chain — it has not been modified between the attestation date and the date they received it.

For Customers

When a SaaS vendor wants to demonstrate their security posture to a customer, they can share a verification link without sharing the full report. The customer sees:

  • That a pentest was conducted on a specific date
  • The scan tier (Standard, Pro, or Blitz)
  • That the results are blockchain-attested and tamper-proof
  • The attestation timestamp and blockchain transaction reference

This provides assurance that the vendor actually had a pentest performed without revealing potentially sensitive vulnerability details. If the customer needs more detail, they can request the full report separately — the verification link has already established its authenticity.

For Compliance Portals

Many compliance frameworks (SOC 2, ISO 27001) require evidence of regular penetration testing. Verification links can be submitted as evidence artifacts in compliance portals. The portal reviewer can visit the link to confirm the pentest attestation without the organization needing to upload sensitive report files to the compliance platform.

Verification Without TurboPentest

While TurboPentest's verification page makes the process convenient, all the raw data needed for verification is publicly available:

  1. Report hash — Computed by anyone with the PDF file using sha256sum
  2. Merkle proof — Stored with the report metadata and provided via the verification link
  3. Merkle root — Readable from the Base L2 blockchain by anyone, using the transaction hash
  4. Verification math — Standard Merkle proof verification, implementable in any programming language

This means verification is not dependent on TurboPentest's continued operation. If TurboPentest ceased to exist, the on-chain data and the PDF file are sufficient to prove attestation. The verification link is a convenience layer, not a trust dependency.

Verification links do not expire. Once generated, they remain active indefinitely. The attestation they point to is immutable on-chain — there is no mechanism to "un-attest" a report.

However, team administrators can disable a verification link if the attestation token is inadvertently shared with unintended recipients. Disabling the link prevents the TurboPentest verification page from rendering, but it does not affect the on-chain attestation. Someone with the Merkle proof and transaction hash could still perform manual verification using blockchain data.

Batch Verification

For organizations that conduct regular pentests, TurboPentest provides a verification dashboard that shows all attestations for a team. Auditors can be granted read-only access to this dashboard to verify the complete history of pentests, their attestation status, and the blockchain references — all from a single view without needing individual verification links for each report.

Previous

Credit Ledger Integrity

Next

Course 6: Integration & Automation

On this page