How to Interpret and Act on Penetration Test Results

A penetration test report is the document a tester gives you after the engagement, setting out every weakness found, how serious each one is, and how to fix it. Acting on it means reading the findings in priority order, remediating the critical and high issues first, then retesting to confirm the fixes hold.

What does a penetration test report contain?

A penetration test report typically contains five things: an executive summary, the scope of what was tested, the methodology the tester followed, the findings with a severity rating and evidence for each, and remediation guidance. Read together, they tell you what was assessed, what is wrong, and what to do about it.

The executive summary is written for non-technical readers: founders, the board, a customer’s security team. It states the overall risk and the headline findings in plain language. The scope and methodology sections record what was in and out of bounds and how the test was run, often referencing a recognised approach such as the OWASP testing guidance. The findings are the substance of the report. Each one names the vulnerability, rates its severity, shows evidence that it is real, and explains how to remediate it.

Evidence matters more than people expect. A finding backed by a request, a response and a screenshot is one your engineers can reproduce and fix. A finding without evidence is one they will spend a day arguing about. Good reports show their working for every issue they raise.

How do severity ratings work?

Severity is commonly scored with the Common Vulnerability Scoring System (CVSS), which produces a number from 0.0 to 10.0. Testers translate that number into a band, critical, high, medium or low, so a reader can sort the report without reading every technical detail. The score reflects how easy a weakness is to exploit and how much damage it would do.

SeverityCVSS rangeWhat it meansTypical action
Critical9.0 to 10.0Easily exploited, severe impactFix immediately
High7.0 to 8.9Serious, likely to be exploitedPrioritise remediation
Medium4.0 to 6.9Limited impact, still worth fixingSchedule a fix
Low0.1 to 3.9Minor weaknessMonitor and document

The CVSS score is a starting point, not the final word. It rates a vulnerability in the abstract; it does not know that the affected system holds your customer data or sits behind three other controls. A medium-rated issue on an internet-facing service that exposes personal data can warrant faster action than a high-rated issue on an isolated internal tool. Read the rating, then weigh it against your own exposure. The CVSS specification from FIRST sets out how the scores are built.

How do you prioritise what to fix first?

Critical and high findings are remediated first, because those are the issues an attacker is most likely to reach and exploit. Within that, sort by business risk: what the affected system does, what data it holds, and whether it is exposed to the internet. Severity tells you how dangerous a weakness is in general; your context tells you how dangerous it is to you.

A workable order of questions for each finding:

  • Is the affected system reachable from the internet, or only internally?
  • Does it process or store customer or personal data?
  • How hard is the weakness to exploit in practice?
  • What breaks, legally or operationally, if it is exploited?

Do not dismiss the low findings outright. Attackers chain minor weaknesses together, and an information leak plus a weak configuration can add up to a real route in. Log every low finding, decide whether to fix or accept it, and record the decision. That record is part of the audit trail your compliance work will draw on later.

How do you remediate and retest?

Remediation turns the report into a plan. For each finding you keep, assign an owner, agree a deadline that matches the severity, and fix the root cause rather than the symptom. A vulnerability caused by an outdated dependency is solved by patching and a process to keep it patched, not by a one-off change that drifts back within a month.

Once the fixes are in, a retest validates them. The tester checks each remediated finding to confirm it is genuinely closed and that the fix has not opened something new. Without a retest you have a list of things you believe you fixed; with one you have evidence that you did. A good provider includes retesting so the loop actually closes. Document what was changed, when, and by whom, because that documentation is what an auditor and a customer will ask to see.

Treat testing as a cycle, not a single event. Re-test after significant changes to your application or infrastructure, and on a regular schedule, so new weaknesses are caught while they are cheap to fix. For an earlier-stage view of when and what to test, see our guide to penetration testing for startups.

How does the report support compliance?

Penetration test reports are used as evidence in SOC 2 and ISO 27001 audits, and in the security reviews customers run before they buy. The report, plus proof that you acted on it and retested, shows an assessor that you actively find and fix weaknesses rather than assuming none exist. That is what these frameworks are checking for.

For SOC 2, the report and your remediation record support the controls that cover vulnerability management and risk assessment. For ISO 27001, the same evidence feeds the standard’s expectations around technical assessment and continual improvement. In a customer security review, a recent report and a clear remediation history answer the question buyers really want answered: do you take this seriously, and can you prove it.

The point auditors and buyers look for is not a clean report with zero findings, which rarely exists and looks suspicious when it does. It is a report with findings that have been triaged, fixed in a sensible order, and retested. The trail matters as much as the result.

How Atoro helps

Atoro is Europe’s first ISO 42001 certified consultancy, with more than 200 certifications delivered across security and compliance. Our penetration testing services produce reports written for both engineers and decision-makers, with severity rated by CVSS, evidence for every finding, and remediation guidance you can act on. Retesting is included, so the fixes are validated and the report stands up as audit evidence.

Penetration test report FAQs

What is in a penetration test report?

A penetration test report typically includes an executive summary, the scope of the test, the methodology used, the findings with a severity rating and supporting evidence for each, and remediation guidance. Together these explain what was tested, what is wrong, and how to fix it.

How are penetration test findings scored?

Findings are commonly scored using the Common Vulnerability Scoring System (CVSS), which gives each vulnerability a number from 0.0 to 10.0. That number maps to a severity band of critical, high, medium or low, reflecting how easily the weakness can be exploited and how much damage it would cause.

What should you fix first after a pen test?

Fix critical and high severity findings first, then weigh each issue against your own exposure: whether the system is internet-facing and whether it holds customer or personal data. Severity ratings rank danger in general; your business context decides the final order.

Should you ignore low severity findings?

No. Attackers chain low severity weaknesses together to build a more serious route in. Log every low finding, decide whether to fix or formally accept it, and record that decision so you have a clear audit trail.

What is a retest?

A retest is a follow-up check after you have remediated the findings. The tester verifies that each issue is genuinely resolved and that the fix has not introduced a new weakness. It gives you evidence that the fixes work rather than an assumption that they do.

Does a penetration test report help with SOC 2 and ISO 27001?

Yes. Penetration test reports are used as evidence in SOC 2 and ISO 27001 audits and in customer security reviews. The report, together with a record of remediation and retesting, shows that you actively identify and fix weaknesses, which is what these frameworks expect.

Is a report with no findings a good sign?

Not necessarily. A report with zero findings is rare and can suggest the scope was too narrow or the test too shallow. Assessors and buyers look for findings that have been triaged, fixed in a sensible order and retested, because the remediation trail tells them more than a clean result does.