Pentest findings — `<year>` Q`<n>` — `<engagement type>`

Template. Copy this file to a dated, snake-cased filename inside apps/docs/content/docs/security/pentest-findings/ for each new engagement. Replace every angle-bracket placeholder before committing. Per-engagement instances are referenced from the pentest template.

Engagement metadata

Field	Value
Engagement type	external annual / internal purple-team Q1 / Q2 / Q3 / Q4
Engagement window	YYYY-MM-DD → YYYY-MM-DD
Lead tester	Name and affiliation (firm name for external; bounded-context for internal)
Participants	List
Scope focus	One sentence summarising what the engagement targeted
Environment	Staging / dedicated purple-team sandbox
Engagement letter / kick-off doc	Internal link or location

Executive summary

One paragraph for the board: scope, posture, total findings by severity, biggest takeaway, headline remediation status.

Findings

For each finding, fill the table below. Add as many rows as needed.

Finding N — `<one-line title>`

Field	Value
Severity	Critical / High / Medium / Low / Informational
CVSS 3.1	Numeric score and vector string
Affected surface	Domain, route, or component
Reproduction	Steps, payloads, account context
Observed impact	What the vulnerability lets an attacker do
Recommended remediation	Suggested fix
Owner	Bounded-context owner taking the action
Remediation due date	YYYY-MM-DD aligned to the severity SLA
Status	Open / In progress / Fixed / Verified / Won't fix (with reasoning)
Linked PR / commit	URL once remediation lands

Which of our existing detectors (anomaly detection, audit-on-failure, SLO alerts, rate-limit hits) triggered during the engagement? Which ones should have but did not? List both — both are useful evidence for SOC 2 CC4.1.

Action items

ID	Description	Owner	Due	Status
AI-1

Sign-off

Role	Name	Date
Lead tester
CISO
CTO

Pentest findings — `<year>` Q`<n>` — `<engagement type>`

Template. Copy this file to a dated, snake-cased filename inside apps/docs/content/docs/security/pentest-findings/ for each new engagement. Replace every angle-bracket placeholder before committing. Per-engagement instances are referenced from the pentest template.

Engagement metadata

Field	Value
Engagement type	external annual / internal purple-team Q1 / Q2 / Q3 / Q4
Engagement window	YYYY-MM-DD → YYYY-MM-DD
Lead tester	Name and affiliation (firm name for external; bounded-context for internal)
Participants	List
Scope focus	One sentence summarising what the engagement targeted
Environment	Staging / dedicated purple-team sandbox
Engagement letter / kick-off doc	Internal link or location

Executive summary

One paragraph for the board: scope, posture, total findings by severity, biggest takeaway, headline remediation status.

Findings

For each finding, fill the table below. Add as many rows as needed.

Finding N — `<one-line title>`

Field	Value
Severity	Critical / High / Medium / Low / Informational
CVSS 3.1	Numeric score and vector string
Affected surface	Domain, route, or component
Reproduction	Steps, payloads, account context
Observed impact	What the vulnerability lets an attacker do
Recommended remediation	Suggested fix
Owner	Bounded-context owner taking the action
Remediation due date	YYYY-MM-DD aligned to the severity SLA
Status	Open / In progress / Fixed / Verified / Won't fix (with reasoning)
Linked PR / commit	URL once remediation lands

Detections observed

Action items

ID	Description	Owner	Due	Status
AI-1

Sign-off

Role	Name	Date
Lead tester
CISO
CTO

Pentest findings template

Pentest findings — `<year>` Q`<n>` — `<engagement type>`

Engagement metadata

Executive summary

Findings

Finding N — `<one-line title>`

Detections observed

Action items

Sign-off

See also

On this page

Pentest findings template

Pentest findings — `<year>` Q`<n>` — `<engagement type>`

Engagement metadata

Executive summary

Findings

Finding N — `<one-line title>`

Detections observed

Action items

Sign-off

See also

On this page