How to Write a Professional API Penetration Test Report (With Complete Template)
A step-by-step framework for security documentation that drives action, with a production-ready template based on OWASP API Top 10 testing.
When I completed the 12-hour API Penetration Testing course at APISEC University, I wrote a comprehensive security assessment report for the crAPI lab environment. My instructor called it the best in the cohort.
Then, classmates started asking for copies, some even used it to complete job application assessments and got hired.
So what made it different?
Most penetration testing reports fail for three reasons:
They’re too long - 40+ pages of every command you ran, drowning the critical findings in noise.
They bury the impact - Technical jargon before business risk, making it impossible for decision-makers to prioritize.
They’re not actionable - Generic “fix this vulnerability” recommendation without specific remediation steps developers can actually implement.
The result? Reports that sit unread in email folders. Security findings that never get patched. Vulnerabilities that remain exploitable.
This guide will show you how to write reports that actually drive action—with a complete, production-ready template, you can adapt for your own assessments.
What You’ll Learn
The 5-element framework every pentest report needs to be effective.
How to structure for dual audiences (executives AND developers).
Common mistakes that make reports ineffective (and how to avoid them).
A complete working example following these principles (crAPI assessment)
How to adapt this template for client work, job applications, or academic submissions, whether you’re a security student building your portfolio, a junior pentester improving documentation skills, or someone interviewing for AppSec roles, this guide will help you communicate findings more effectively.
Let’s dive in.
Part 1: The Framework - Why Most Pentest Reports Fail
The Harsh Reality About Security Reports
I’ve reviewed dozens of penetration testing reports from students and junior professionals. Most make the same fatal mistakes:
The “Command Dump” Report
Twenty pages of nmap scans, Burp Suite logs, and curl commands. Every single request is documented. The actual vulnerabilities? Buried on page 17.
The “Tech Jargon” Report:
“Identified BOLA in the REST endpoint with CVSS 9.0.” Great. What does that mean for the business? How do we fix it? Silence...
The “Fix It” Report
“Implement proper input validation.” Thanks, but... HOW? What specific code change? What library? What validation rules?
These reports demonstrate technical skill but fail at their primary job:
making security actionable.
The 5 Elements Every Effective Pentest Report Needs
After analyzing what worked in my crAPI report (and what didn’t in earlier attempts), I identified five non-negotiable elements:
1. Executive Summary That Executives Actually Read
Your summary should answer these questions in 60 seconds or less:
What did you test?
What’s critically broken?
What’s the business impact?
What must happen immediately?
Bad example:
“Seven critical vulnerabilities were identified during the assessment of the crAPI application deployed in a Docker environment.”
Good example:
“We discovered 7 critical flaws enabling complete account takeover in under 10 minutes. Attackers can access real-time GPS location for any user, create unlimited account credit through negative pricing exploits, and execute admin functions without authorization.
Without immediate action within 48 hours, this creates severe data breach, financial fraud, and regulatory compliance risk.”
The difference? The second one tells decision-makers WHY they should care and WHEN they need to act.
2. Technical Findings Developers Can Actually Fix
For each vulnerability, you need five components:
What it is (1-2 sentences, minimal jargon)
Don’t assume your reader knows what “BOLA” means. Explain it: “The API returns GPS coordinates for any vehicle ID without checking if the requester owns that vehicle.”
How you found it (reproducible proof-of-concept)
Include actual commands with expected vs. actual output:
bash
curl -X GET http://api.example.com/vehicles/247/location
-H “Authorization: Bearer ATTACKER_TOKEN”
#Expected: 403 Forbidden
#Actual: 200 OK with GPS coordinatesWhy it matters (business impact, not just CVSS)
CVSS 9.0 means nothing to a product manager. “Real-time stalking of any user, creating safety risks and GDPR Article 9 violations,” creates urgency.
How to fix it (specific remediation with code examples)
python
# Add this check before returning location
if vehicle.owner_id != current_user.id and not current_user.is_admin:
return jsonify({”error”: “Forbidden”}), 403How to verify the fix (testable commands)
Give developers a way to confirm their fix works:
bash
# Run this test - should return 403
curl -X GET http://api.example.com/vehicles/247/location \
-H “Authorization: Bearer NON_OWNER_TOKEN”3. Proof of Concept That Proves You’re Not Guessing
Every claim needs evidence. Developers are skeptical (rightfully so).
They need to see the vulnerability in action.
Include:
Commands you ran (copy-pasteable, not screenshots of commands)
Expected vs. actual behavior (what should happen vs. what does happen)
Screenshots showing the exploit succeeding
Impact demonstration (not just “it’s vulnerable” but “here’s the stolen data”)
Example:
bash
# OTP brute-force demonstration
wfuzz -z range,0000-0100 \
-d ‘{”email”:”victim@example.com”,”otp”:”FUZZ”}’ \
http://api.example.com/auth/verify-otp
# Result: Valid OTP found at 0042 after 43 attempts
# Time elapsed: 8 seconds
# No rate limiting triggeredThis removes all doubt. The vulnerability is real, exploitable, and urgent.
4. Remediation Roadmap That Respects Reality
Your client can’t fix everything at once. They have limited developer time, competing priorities, and existing technical debt.
Prioritize remediations into three phases:
Immediate (0-7 days): Stop Active Exploitation
Focus on high-severity issues with low implementation complexity:
Disable vulnerable API v2 endpoints (2 hours)
Add rate limiting to auth endpoints (4 hours)
Remove PII from public API responses (4 hours)
Short-term (1-4 weeks): Strengthen Security Posture
Medium-complexity fixes that prevent similar issues:
Implement object-level authorization checks (40 hours)
Add input sanitization framework (24 hours)
Deploy WAF with injection rules (8 hours)
Long-term (1-3 months): Sustainable Security
Architectural improvements and process changes:
Adopt API contract testing in CI/CD (80 hours)
Implement comprehensive monitoring (60 hours)
Security training program for developers (ongoing)
Include effort estimates. “Fix authorization” is overwhelming.
“Add ownership check - 8 hours” is actionable.
5. The Human Element: Make It Readable
Technical accuracy is necessary but not sufficient. Your report also needs:
Clear structure
Use consistent heading hierarchy (H1 - H2 - H3). No skipping levels.
Readers should be able to scan and find information quickly.
Logical flow
Order findings by severity (critical — high — medium) OR by discovery chronology (reconnaissance — exploitation — post-exploitation). Pick one and stick with it.
Appropriate tone
Professional but not robotic. You’re helping them solve problems, not judging their competence.
Avoid: “The developers failed to implement...”
Use: “The application currently lacks authorization checks...”
Audience targeting
Executives don’t need TCP-Dump output. Developers don’t need a risk quantification methodology. Use section structure to serve both:
Executive Summary — business stakeholders
Technical Findings — engineering teams
Remediation Roadmap — project managers
Common Mistakes (And How to Avoid Them)
Mistake #1: Treating It Like a Lab Writeup
Problem: Your professor wants to see your methodology. Your client wants solutions.
Fix: Keep methodology brief (1 paragraph). Focus 80% of the content on findings and remediation.
Mistake #2: CVSS Scores Without Context
Problem: “CVSS 9.0 (Critical)” means nothing to non-security people.
Fix: Always pair scores with business impact:
“CVSS 9.0 - Account takeover enabling access to payment methods, vehicle tracking, and service history.
Estimated impact: $500K fraud exposure, regulatory fines up to €20M (GDPR Article 83).”
Mistake #3: Generic Remediation Advice
Problem: “Follow OWASP best practices” is not actionable.
Fix: Provide specific implementation guidance:
python
# Instead of: “Implement proper input validation.”
# Write this:
from flask import request, jsonify
def validate_vehicle_id(vehicle_id):
if not isinstance(vehicle_id, int):
return False
if vehicle_id < 1 or vehicle_id > 999999:
return False
return True
@app.route(’/vehicles/<int:vehicle_id>/location’)
def get_location(vehicle_id):
if not validate_vehicle_id(vehicle_id):
return jsonify({”error”: “Invalid vehicle ID”}), 400
# ... rest of logic
Mistake #4: No Visual Hierarchy
Problem: Wall-of-text reports don’t get read.
Fix: Use formatting strategically:
Bold for key terms and severity ratings
`
Code blocks`for commands and responsesTables for comparison or summary data
Bullet points for lists (but not excessively)
Screenshots for visual proof (but don’t overuse)
Mistake #5: Burying the Lead
Problem: Critical findings appear on page 15 after the methodology. scope, tools used, limitations, etc.
Fix: Executive Summary on page 1. Critical findings on page 2. Everything else after.
Now Let’s See These Principles in Action
Below is the complete penetration testing report I wrote for the crAPI lab environment.
This report follows the 5-element framework above. It:
Documents 8 vulnerabilities (7 critical, 1 high) with complete PoCs
Maps findings to OWASP API Top 10 for industry-standard classification
Provides actionable remediation with verification steps
Balances technical depth with business impact explanation
Context: crAPI (Completely Ridiculous API) is an intentionally vulnerable application designed to teach OWASP API Security Top 10 vulnerabilities. This was written as part of my APISEC University certification course: API Penetration Testing.
How to use this:
Students: Study the structure and adapt it for your own lab reports
Practitioners: Use as a template for client engagements (see adaptation guide below)
Job seekers: Demonstrate documentation skills in technical assessments
Hiring managers: See what effective security communication looks like
Let’s dive into the full report.
LINK TO FULL PENETRATION TEST REPORT TEMPLATE
# Part 2: Adapting This Template for Your Own Reports
The template above was written for a lab environment. Here’s how to modify it for different real-world scenarios:
For Client Engagements
What to Change:
Document Control Section
Replace “APISEC University” with the actual client name
Add engagement dates, tester names, and version control
Include NDA/confidentiality notice in footer
Add classification marking (”CONFIDENTIAL - Client Name Only”)
Tone and Narrative
Remove learning narrative (”how I discovered this”)
More formal language (less personal, more professional)
Remove methodology details clients didn’t ask for
Focus on impact to THEIR specific business context
Risk Context
Tailor business impact to the client’s industry
Healthcare: HIPAA violations, patient safety
Finance: PCI-DSS, financial fraud, regulatory
SaaS: Customer trust, competitive damage
Remediation
Account for client’s tech stack (Java vs Python vs Node.js)
Consider their deployment model (cloud vs on-prem)
Realistic timelines based on their team size and velocity
What to Keep:
Finding structure (Vuln — PoC — Impact — Remediation — Verify)
OWASP mappings (industry-standard framework)
Verification commands (clients need to test fixes)
Clear executive summary (decision-makers are busy)
Example Modification:
Lab version:
“This vulnerability was discovered while exploring authentication flows during the training exercise...”
Client version:
“Assessment of the authentication API revealed a critical vulnerability in OTP validation...”
For Job Application Technical Assessments
What to Change:
Emphasize Your Methodology
Show your thinking process, not just results
Explain why you chose certain tools or approaches
Document dead ends and how you overcame them
Demonstrate systematic testing, not lucky finds
Add Tools and Technologies Section
List everything you used (shows technical breadth)
Explain the tool selection rationale
Include custom scripts you wrote
Include More Screenshots
Prove you actually performed the testing.
Show your workspace, tools, and process.
Demonstrate comfort with professional tooling.
Explain Trade-offs
“I prioritized these endpoints because...”
“I would test X next if I had more time...”
“Alternative approaches include Y, but I chose Z due to...”
What to Keep:
Professional formatting (this IS your work sample)
Clear executive summary (hiring managers scan first)
Actionable remediation (shows you think beyond breaking things)
Complete PoCs (this proves technical competence)
Example Addition:
Testing Approach Rationale
I began with passive reconnaissance to understand the API surface without triggering alarms. After mapping endpoints via traffic capture, I prioritized authentication and authorization testing since these are consistently the highest-risk areas (per OWASP API Top 10).
The OTP brute-force discovery came from noticing version discrepancies in the captured spec—a common real-world scenario where legacy endpoints lack modern protections.
For Academic Submissions
What to Change:
Add Detailed Methodology Section
Explain your systematic approach
Document tools with version numbers
Cite academic sources and frameworks
Include testing timeline and phases
Include Literature Review
Reference relevant security research
Cite OWASP, NIST, and academic papers
Show awareness of the current threat landscape
Add Reflection Section
What you learned from the exercise
How findings relate to coursework
What you would do differently
Future research directions
Document Challenges
Technical obstacles encountered
How you overcame limitations
Tools that didn’t work and why
Learning moments
What to Keep:
Finding documentation (evidence of work)
Proper citations for tools and frameworks
Professional structure (prepares you for a career)
Technical accuracy (demonstrates understanding)
Example Addition:
Reflection and Learning Outcomes
This assessment reinforced concepts from the OWASP API Security Top 10 module, particularly the prevalence of authorization flaws. The BOLA vulnerability in Finding #2 exemplifies the principle that authentication is not sufficient—applications must also verify resource ownership (Kumar et al., 2023).
If repeating this assessment, I would implement automated regression testing to verify findings remain exploitable, reducing false positives that waste stakeholder time.
Tools & Resources for Creating Your Reports
Report Writing Platforms:
Google Docs (Recommended for beginners)
Markdown + Pandoc (Recommended for version control)
Notion (Good for portfolio/templates)
Evidence Capture Tools:
Screenshots:
Flameshot (Linux) - annotation support
Greenshot (Windows) - auto-naming
Cmd+Shift+4 (Mac) - native, fast
Terminal Recording:
asciinema - shareable terminal sessions
script command - simple text logs
OBS Studio / Bandicam - video recording for complex demos
Traffic Capture:
Burp Suite - request/response export
mitmproxy - Python script integration
Wireshark - network-level capture
Not limited to these, there’s more if you do your research
Formatting & Visual Design:
So basically, you’ve got a bunch of tools here for making stuff look good, right? Like, if you need code screenshots, there’s Carbon and ray.so which just make your code snippets pop. Then for diagrams, you’ve got options depending on your vibe - Excalidraw if you want that casual hand-drawn look, Draw.io when you need to be all professional about it, or Mermaid if you’re lazy and just want to write code that becomes a diagram. And tables? Markdown generator, Google Sheets exports, or Canva if you’re feeling fancy.
TL;DR: Tools for prettifying code snippets, creating diagrams (hand-drawn or professional), and making nice-looking tables.
Template Checklist: Before You Submit
Use this checklist to verify your report is complete:
Structure
Executive summary answers: What? Risk? Impact? Action?
Findings ordered logically (severity or chronology)
Each finding has all 5 components (what, how, why, fix, verify)
Remediation roadmap with phases and effort estimates
Contact info and next steps clearly stated (optional)
Content
Every technical claim has proof (PoC, screenshot, log)
Business impact explained for every finding
Remediation is specific enough to implement
Verification steps testable by developers
No jargon without explanation
Quality
Zero typos or grammar errors (read aloud to catch them)
Consistent formatting throughout (headings, code blocks, spacing)
Screenshots cropped and captioned appropriately
Code blocks are syntax-highlighted and properly indented
All links are working (if digital submission)
Audience
Executive summary readable by non-technical stakeholders
Technical findings are detailed enough for developers
Tone appropriate for context (client/academic/job application)
Sensitive information properly redacted or sanitized
If you’ve checked all boxes, your report is ready to ship.
Part 3: Lessons Learned and My Journey
What I Got Right (Looking Back)
When I first wrote this report in August 2025 during my APISEC University training, I was focused on one goal: to demonstrate that I could find vulnerabilities.
Looking back now, months later, while preparing for my ASCP certification, I see what really made this report valuable wasn’t the technical discoveries (crAPI is intentionally vulnerable—anyone can find these flaws). It was the communication.
Here’s what worked:
Clear prioritization: Executives could make decisions quickly, not “here are 47 findings” but “here are 7 critical issues requiring immediate action within 48 hours.”
Complete PoCs: Developers could reproduce without back-and-forth.
Every finding included copy-paste commands with expected output.
Zero ambiguity about whether it’s real or theoretical.Specific remediation: Implementation team knew exactly what to code, not “implement input validation” but “add this sanitization function before database queries (see code example).”
Business context: Non-security stakeholders understood that the impact “CVSS 9.0” means nothing. “Account takeover leading to GPS stalking and $500K fraud exposure” creates urgency.
What I’d Do Differently
1. Add More Exploitation Chain Examples
The two chains I documented (Account Takeover + Location Stalking, Financial Fraud + Admin Escalation) were good. But I could have shown 5-6 more combinations to really demonstrate how vulnerabilities compound.
In real attacks, hackers rarely use a single vulnerability. They chain multiple weaknesses. Showing these chains helps clients understand why “medium severity” findings matter when combined.
2. Include Automated Remediation Verification Scripts**
I provided curl commands to verify fixes. Better would be a Python script that runs all verification tests and outputs a pass/fail report.
python
# What I should have included:
# verify_fixes.py - runs all verification tests
def test_otp_rate_limiting():
for i in range(20):
response = requests.post(OTP_URL, json=payload)
if i > 10 and response.status_code == 429:
return “PASS”
return “FAIL”
# Run all tests, generate reportThis makes remediation verification trivial for dev teams.
3. Add “Quick Wins” Section in Executive Summary
Some fixes take 5 minutes. Others take 5 weeks. I should have highlighted the quick wins upfront:
“Three vulnerabilities can be patched in under 2 hours total:
Disable API v2 endpoints (30 min)
Remove PII from response DTOs (45 min)
Add price validation (45 min)
Implementing these immediately reduces exposure by 60%.”
This gives overwhelmed teams a clear starting point.
My Current Journey: From CASA to ASCP
Right now, I’m deep in ASCP (API Security Certified Professional) certification prep. Yesterday, I completed 4 SQL injection labs on PortSwigger Academy—exploring how database injection vulnerabilities manifest in APIs versus traditional web apps.
The difference? APIs often return structured JSON with database errors embedded, making blind injection techniques more detectable, but also easier to exploit once found.
I’m also exploring the intersection of security and digital policy. As a Sociology & Anthropology student, I’m particularly interested in how technical security decisions affect marginalized communities—and how policy can make the Internet safer without stifling innovation.
Recent focus areas:
LLM/AI security (prompt injection, model extraction, data poisoning)
Web & Mobile Pentesting
Research… I love doing research.
Digital rights and Internet governance in Africa
If you’re on a similar path—learning security, building your portfolio, or preparing for certifications—I’d love to connect and share knowledge.
What’s Next for You
If you’ve read this far, you understand what makes penetration testing reports effective. Now it’s time to put it into practice.
Your action plan:
Pick a target (lab environment, bug bounty, CTF, or course project)
Test systematically (don’t just hunt bugs—document your process)
Use this template (structure findings with the 5-element framework)
Get feedback (share with peers, instructors, or mentors)
Iterate and improve (your first report won’t be perfect—mine wasn’t)
The best way to improve security communication is by doing it repeatedly.
Every report you write makes the next one better.
Download & Share This Template
This report template is free to use, adapt, and share. No attribution required, but appreciated if you found it helpful.
Available formats:
PDF (reference): Link to PDF
Questions or feedback?
Comment below, DM me on LinkedIn. I read everything and respond to genuine questions.
Found this useful?
Share it with someone else learning security documentation. Let’s raise the standard for pentest reports together.
Connect:
Portfolio: https://bit.ly/MeetBlessingAgbor
If you’re hiring for technical writing, security documentation, or AppSec roles, I’m actively seeking opportunities.*
OMG!!!
This is a lot of good stuff.
Thank you so much for sharing.