Not a generic PDF. Real findings, real evidence, real verification. Download sample deliverables to see the Opsfolio difference.
Fill out the form to download
What you'll receive:
A complete sample report showing our methodology, finding format, evidence quality, and compliance mapping approach.
A professional RoE template that demonstrates our commitment to safety, clarity, and professional engagement practices.
Questions? Contact us or explore our services
Review the full sample report below to understand our methodology, finding format, and evidence quality.
Human-Led Offensive Security with Audit-Ready Evidence
SAMPLE / DEMONSTRATION DOCUMENT
Client
Sample Company
(Mid-Market SaaS)
Assessment Type
Web Application
Penetration Test
Testing Period
November 4-15, 2024
Prepared By
Opsfolio Security Team
CONFIDENTIAL - This document contains sensitive security information. Distribution is limited to authorized personnel only. Sample document for evaluation purposes.
Overall Security Posture
Moderate Risk
Total Findings
7
Remediated & Verified
5 of 7
Authorization Controls
Object-level access controls require strengthening to prevent unauthorized data access.
Session Management
Session token generation could be improved to meet current security standards.
Information Disclosure
Error handling reveals implementation details that could aid attackers.
Strong Foundations
Authentication mechanisms and transport security are well-implemented.
The identified findings have relevance to SOC 2 Trust Service Criteria (CC6.1, CC6.6, CC7.2), ISO 27001 Annex A controls, and CMMC access control practices. Remediation of the high-severity authorization finding is recommended before the upcoming SOC 2 Type II audit window.
app.samplecompany.com - Primary web applicationapi.samplecompany.com - REST API endpoints (v2)Testing Window
Nov 4-15, 2024
Testing Hours
09:00-18:00 EST
Testing Team
2 Senior Consultants
Define objectives, scope, and rules of engagement
Information gathering and attack surface mapping
Manual and tool-assisted vulnerability identification
Document findings with reproducible evidence
Risk-ranked findings with remediation guidance
Validate fixes and produce verification artifacts
Our methodology combines manual expert analysis with tool-assisted scanning. All findings are manually validated to eliminate false positives. When available, we incorporate design documentation and code context to provide more targeted testing and accurate remediation guidance.
| ID | Title | Severity | Status |
|---|---|---|---|
| WEB-001 | Insecure Direct Object Reference in User API | High | Verified |
| WEB-002 | Session Token Predictability | Medium | Verified |
| WEB-003 | Verbose Error Messages Exposing Stack Traces | Low | Open |
0
Critical
1
High
2
Medium
4
Low / Info
The user profile API endpoint accepted user IDs as direct parameters without proper authorization validation. An authenticated user could modify the ID parameter to access or modify other users' profile information, including email addresses and account settings.
This vulnerability could allow unauthorized access to customer PII, potential account takeover scenarios, and regulatory compliance violations under GDPR, CCPA, and HIPAA. Exploitation would likely result in mandatory breach notification requirements.
1. Authenticate as User A and capture a valid session token
2. Send a GET request to /api/v2/users/{USER_B_ID}
3. Observe that User B's profile data is returned
[Evidence: Screenshot and request/response logs redacted]
Implement server-side authorization checks to verify the authenticated user has permission to access the requested resource. Use session-bound user context rather than user-supplied IDs for ownership verification. Consider implementing UUID-based identifiers to reduce enumeration risk.
Retest Note: Verified on November 18, 2024. Authorization checks now properly enforce user-resource ownership. Attempted access to other users' profiles returns 403 Forbidden.
Session tokens were generated using a time-based algorithm with insufficient entropy. Analysis of multiple tokens revealed a predictable pattern that could potentially allow an attacker to guess valid session identifiers.
While exploitation requires significant effort, successful session prediction could lead to account takeover without requiring credentials. This represents a medium-term risk that should be addressed to maintain security posture.
Replace the current token generation mechanism with a cryptographically secure random number generator (CSPRNG). Ensure tokens have at least 128 bits of entropy. Consider implementing token binding to further reduce session hijacking risks.
Retest Note: Verified on November 19, 2024. Token generation now uses crypto.randomBytes() with 256-bit entropy. Statistical analysis confirms no predictable patterns.
Application errors return detailed stack traces and internal path information to end users. While not directly exploitable, this information disclosure aids attackers in understanding the application architecture and identifying potential attack vectors.
Implement a global error handler that returns generic error messages to users while logging detailed information server-side. Ensure production environment variables are properly configured to disable debug mode.
Status: Scheduled for remediation in next sprint. Risk accepted for current release cycle due to low severity and defense-in-depth controls.
All artifacts from this engagement are stored in Opsfolio as structured, auditor-ready evidence. This Evidence Pack can be used for SOC 2, ISO 27001, CMMC, and other compliance audits.
Signed Rules of Engagement
Authorization and scope documentation
Tester Identity & Timing
Who tested, when, and from where
Timestamped Findings
All findings with unique IDs and timestamps
Evidence Screenshots
Proof of findings (redacted as needed)
Remediation Verification
Before/after evidence for retests
Risk Acceptance Records
Documentation for accepted risks
| Finding | SOC 2 | ISO 27001 | CMMC |
|---|---|---|---|
| WEB-001 | CC6.1 (Logical Access) | A.9.4.1 (Access Restriction) | AC.L2-3.1.1 |
| WEB-002 | CC6.6 (System Operations) | A.14.1.2 (Secure Development) | IA.L2-3.5.2 |
| WEB-003 | CC7.2 (System Monitoring) | A.12.6.1 (Technical Vulnerabilities) | SI.L2-3.14.1 |
Disclaimer: Control mappings are provided as guidance to support audit preparation. They do not constitute certification or guarantee compliance. Consult with your auditor for authoritative mapping decisions.
This assessment identified security concerns primarily related to authorization controls and session management. The development team has addressed the high and medium severity findings, with verification confirming effective remediation.
Opsfolio recommends annual comprehensive assessments with quarterly targeted testing aligned to major releases. Contact your account team to discuss continuous testing arrangements.
Review our professional RoE template to understand how we structure engagements for safety, clarity, and compliance.
Penetration Testing Authorization Template
TEMPLATE DOCUMENT - CUSTOMIZE FOR YOUR ENGAGEMENT
This template provides a framework for establishing rules of engagement for penetration testing engagements. Customize all bracketed fields for your specific environment.
This document establishes the rules of engagement for a penetration testing assessment of [CLIENT ORGANIZATION NAME]'s systems and applications. It defines the scope, constraints, and protocols that govern the testing activities.
This engagement will be considered successful upon delivery of a comprehensive report containing identified findings, risk assessments, remediation guidance, and supporting evidence suitable for audit purposes.
IMPORTANT: Testing may only commence after this document has been signed by an authorized representative of the client organization with appropriate authority to authorize security testing activities.
"[CLIENT ORGANIZATION NAME] hereby authorizes [TESTING ORGANIZATION] to perform penetration testing activities against the systems and applications defined in the Scope section of this document, during the testing window specified herein."
Client Approver
[NAME]
[TITLE]
[DATE]
Signature:
Testing Lead
[NAME]
[TITLE]
[DATE]
Signature:
Primary Contact
[NAME]
[PHONE]
[EMAIL]
Escalation Contact
[NAME]
[PHONE]
[EMAIL]
Domain/Application
[app.example.com]
Description: [Primary web application]
API Endpoint
[api.example.com]
Description: [REST API v2 endpoints]
IP Range
[192.168.1.0/24]
Description: [Internal network segment]
Add additional rows as needed for your scope.
Production
[Read-only / Limited / Full]
Staging
[Read-only / Limited / Full]
Development
[Read-only / Limited / Full]
Maximum scan rate:
[X requests/second]
Concurrent connections:
[X maximum]
Start Date
[DATE]
End Date
[DATE]
Testing Hours
[HH:MM - HH:MM TZ]
Timezone
[UTC/EST/PST]
Testing team will be notified of any scheduled maintenance, deployments, or change freeze periods that may affect testing activities.
If testing activities trigger security alerts or incident response procedures, the testing team will [coordinate with / notify] the client's security operations team via [METHOD].
All reports and evidence artifacts will redact: personally identifiable information (PII), credentials, API keys, and any data that could enable unauthorized access if disclosed.
Testing artifacts will be retained for [X months/years] in secure storage. Upon expiration, all materials will be securely deleted with written confirmation.
All evidence is stored in Opsfolio's secure evidence management system with role-based access controls, audit logging, and encryption. Evidence artifacts are available for compliance audits upon authorized request.
Critical or high-severity findings that pose immediate risk will be reported within [X hours] of discovery via:
Either party may invoke an emergency stop at any time by contacting the designated emergency contact. Testing will cease immediately upon notification and will not resume until both parties agree in writing.
Client Side
Primary: [NAME]
Technical: [NAME]
Executive: [NAME]
Testing Side
Lead Tester: [NAME]
Project Manager: [NAME]
Escalation: [NAME]
Retesting of remediated findings is included for [HIGH/CRITICAL] severity findings within [X days] of the client notifying completion of remediation.
Retest results will be documented in an addendum to the original report, including before/after evidence and updated finding status. All retest evidence will be stored in the Opsfolio Evidence Pack.
Disclaimer: This template is provided for informational purposes. Organizations should consult with legal counsel to ensure compliance with applicable laws and regulations in their jurisdiction.
All testing activities are performed with explicit written authorization from the client organization. Testing will be conducted only against assets explicitly included in the defined scope.
This engagement is designed to support compliance with [FRAMEWORK(S)] requirements. Findings and evidence artifacts will be structured to facilitate audit preparation. Note: Penetration testing supports but does not guarantee compliance.
Standard limitation of liability terms as defined in the Master Services Agreement apply to this engagement. Both parties agree to handle any disputes through [ARBITRATION/MEDIATION/JURISDICTION].
Both parties agree to act in good faith throughout this engagement. The testing organization will exercise reasonable care to avoid disruption to business operations, and the client organization will provide reasonable access and support for testing activities.
By signing below, both parties acknowledge and agree to the terms and conditions outlined in this Rules of Engagement document.
Client Organization
Authorized Representative
Title
Date
Signature
Testing Organization
Authorized Representative
Title
Date
Signature