Written report
Executive summary, methodology, finding catalog, severity, exploit path, business impact, remediation steps, retest checklist. PDF and markdown, your choice.
what you walk away with · 12
Six artifacts every engagement produces.
No matter the service: a written report, working proof of concept, an engineer readout, retest, attestation, and source materials. Below: what each one is and what to do with it.
01. in scope
What's in scope.
The six standard deliverables.
Working PoCs
Reproducible exploit code, payload files, or step-by-step instructions. Your engineers can verify every finding before they triage it.
Engineer readout
60 to 90 minutes, live, with your engineering team. Walk every finding. Answer questions. Agree on remediation order before the call ends.
Retest
One round of post-fix retest, scheduled within 30 days. Findings marked resolved, partially resolved, or open with notes. New report appended.
Attestation letter
Signed by the engineer who ran the test. For SOC 2 auditors, customer security teams, insurance underwriters, regulators. One page.
Source materials
Markdown source of every finding, requests / responses captured, tool output where relevant. Useful for adding to your wiki or training the next engineer.
02. how we work
How we work on it.
When each deliverable lands.
- Day 0 (kickoff)Scoping confirmed. SOW signed. No deliverable yet.
- Days 1 to 14 (active testing)Daily Slack updates on critical findings. Live PoC links in Slack so engineers can start triage before the report.
- Day 15 to 20 (report)Report drafted and reviewed internally. You see it before any third party.
- Day 21 (readout)Live engineer walkthrough. Q&A. Remediation prioritization agreed.
- Day 51 (retest)Within 30 days of the report. One round. Final report appended. Attestation letter delivered with retest results.
03. deliverables
What you walk away with.
Report quality benchmarks.
Severity reflects business impact
Not just CVSS. We rate exploitability against your environment, your data, your customers. A high-CVSS finding in an unreachable code path may be medium for you.
Every claim is reproducible
If we say it works, the PoC works on the version we tested. We pin commit hashes, model versions, configuration state.
Fixes are concrete
Not "consider implementing input validation." Specific code-level recommendations, with examples in your language and framework.
Audit-ready evidence trail
Each finding has an ID, a timestamp, a methodology reference, and a re-test status. Drop directly into your GRC tool.
04. when
When teams hire us for this.
Format options we offer on request.
Markdown source
Every finding as a standalone markdown file with frontmatter. Drop into Notion, Confluence, Linear, Jira.
Customer-facing summary
A redacted version suitable for sharing with your enterprise customers under NDA. Removes internal-only context.
Board narrative
Three-to-five-page write-up for the board or audit committee. Strategy and trends, not tooling.
Regulator format
For finance, healthcare, or critical-infrastructure clients, formatted to the regulator template you use.
05. faq
Questions before the call.
Deliverables FAQ.
Can we add or remove deliverables?
Yes. The list above is the default. Customer-facing summary, board narrative, regulator format are common adds. Removals are rarer (the report and PoCs are not removable).
Do we get the report in our format?
Yes. Markdown source is included by default; PDF is templated to our format unless you ask for yours.
How long do you keep the source materials?
Seven years by default, encrypted at rest in a single-tenant environment. Deletable on request after a project, subject to legal hold.
Can you ship findings to our ticket tracker directly?
Yes. Linear, Jira, GitHub Issues, ServiceNow. We can post each finding as a ticket with the correct project, label, and assignee.
What if a finding is wrong?
It happens. We rerun the PoC with you on the call, and if the finding is invalid, we mark it withdrawn in the final report. We do not pad the catalog.
See the sample report.
The format auditors and engineering teams have been accepting since 2019. Download the latest version, or ask for a redacted real-engagement copy under NDA.