Payloads deployed. Shells cleared. Tools saved. But the job is not done and not even close, because now comes the real work and the most important deliverable, the report.

A solid AppSec testing report doesn't just describe vulnerabilities. It drives action, prioritizes fixes and tells the story of risk in a way that matters to developers, security teams, and business leaders. Let's break down what makes a report actually useful, not just a PDF someone forgets in their inbox.

Know Your Audience

A solid report is structured with precision, but more importantly, it's written with purpose. You're not just dumping vulnerabilities. You're speaking to three core groups:

  1. Technical Stakeholders (Developers, Engineers): They fix the issues. Your report is a blueprint for remediation. Around 70–80% of your report should speak their language. No guesswork. No ambiguity. Just clear, technical, reproducible data.
  2. Security Stakeholders (Internal or External): They drive security strategy and risk acceptance. Whether it's a security advocate on the dev team or an external security manager signing off, this audience needs risk prioritization, attack paths, and remediation themes. Think of it as 10–20% of your report.
  3. Business Stakeholders (Product Owners): They fund the test. They want to know how bad or good the application is, what it means for business, and what happens if they don't fix it. Give them 5–10% of the report. No tech jargon, just the impact.

A Report Structure That Works

None

1. Summary

Audience: Business + Security The summary is your report's elevator pitch. It tells the story before anyone reads the details. In my experience, the most effective approach is to split it into two clear parts

1.1 Executive Summary: What did we test? What did we find? What does it mean in business terms?

1.2 Findings & Recommendations: Vulnerability themes, chained attack vectors, and top-priority fixes.

Make it scannable. Decision-makers should walk away knowing the posture, the risk, and what's next.

None
Security experts performed manual security testing according to the OWASP web application testing methodology, which demonstrates the above results
None

2. Vulnerability Write-Ups: The heart of the report

Audience: Developers This section lives or dies by clarity and actionability. If your findings aren't easy to understand or fix, they won't get fixed. Therefore, you should follow a consistent structure following a battle-tested format throughout the report:

  • Title: E.g., "Unauthenticated SQL Injection on Login Endpoint"
  • Risk Rating: Use CVSS or the client's risk matrix
  • Summary: What is this issue, and why should anyone care?
  • Background: Help non-security devs understand the root cause
  • Technical Evidence: Show your work as a PoC. Burp/ZAP requests, responses, payloads and screenshots.
  • Impact: Realistic, contextualized damage an attacker could do (not generic doom-talk)
  • Remediation: Fix the root cause, not just symptoms. Always, it is a good practice to suggest defense-in-depth strategies, but make it clear what's core vs. optional.
  • References: docs, CVEs, or OWASP links to guide devs further.
None

Sample SQL Injection Write-Up

Title: SQL Injection Vulnerability in Login form (Unauthenticated Access)

Risk Rating: High (CVSS v3.1 Score: 8.6)

Summary: A critical SQL injection flaw has been discovered in the login functionality of the XYZ banking platform. The issue allows unauthenticated users to manipulate backend SQL queries, potentially enabling them to bypass login controls or retrieve confidential customer data.

Background: SQL injection vulnerabilities arise when user input is directly embedded into dynamic SQL queries without the use of prepared statements. Without input validation or parameterized queries, the database cannot differentiate between user data and actual SQL syntax. It opens the door for malicious input to alter the logic of queries. Hence, this vulnerability is commonly used by attackers to gain unauthorized access or leak sensitive information from the database.

Technical Evidence: The login form at /login was vulnerable to SQL injection via the username field. Using Burp Suite, the following HTTP request was intercepted and modified.

POST /login HTTP/1.1
Host: xyz.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
username=' OR 1=1--&password=randomvalue

The application responded with a 302 Found redirect to the authenticated user dashboard:

HTTP/1.1 302 Found
Location: /dashboard
Set-Cookie: sessionid=xyz123abc456; Path=/; HttpOnly

This confirmed that authentication was bypassed using a classic SQL injection payload.

Impact: A malicious user could gain access to any account on the application without needing valid login credentials. Although the injection point exhibits blind SQL injection behavior, it is still possible for an attacker to extract database information by using error-based techniques to gradually enumerate data.

Remediation: All SQL queries that handle user input should use parameterized statements to prevent injection attacks. For instance, in a .NET environment with a Microsoft SQL Server backend, the authentication logic should be rewritten using parameterized queries similar to the example below.

string query = "SELECT * FROM Users WHERE Username = @username AND Password = @password";
SqlCommand command = new SqlCommand(query, connection);
command.Parameters.AddWithValue("@username", usernameInput);
command.Parameters.AddWithValue("@password", passwordInput);

References: https://owasp.org/www-community/attacks/SQL_Injection

3. Appendices

Audience: Security Teams

There isn't usually a fixed format for appendices. However, there are two main appendices that you should always aim to include in your report.

  • Assessment Scope: Was the full target covered? Were parts unreachable? If only 80% of the scope was tested, call that out.
  • Assessment Artifacts: Uploaded payloads, test files, and web shells. Clean up where possible, but document anything that could remain, as it is often impossible to fully remove all artifacts created due to security testing. Don't let your PoC become tomorrow's incident.

Reporting Do's & Don'ts

None

Do:

  • Use past tense and third person.
  • Stick to facts, no drama, no assumptions.
  • Standardize formatting and avoid switching between different spellings or terms for the same thing.
  • Mask sensitive data in screenshots.
  • Write professionally, formally, clearly and free from bias.
  • Peer review your own work after a break.

Don't:

  • Use informal language or slang like, "We owned the login."
  • Insert personal opinions or blame.
  • Overuse acronyms or security jargon.
  • Recommend half-fixes (like input validation instead of parameterization).

Conclusion

At the end of the day, a solid AppSec test report isn't just a checklist. It is a communication tool, risk advisory, and technical playbook in one. If no one reads it or worse, no one understands it, you've wasted your best chance to create real security impact.

Writing a report that gets read, respected, and acted upon—that's where your job as an application security engineer truly begins.

Happy AppSec 🦉

☕️ Found this post helpful & want to support? buymeacoffee.com/pranieth