Sample pentest report

See what a real pentest report looks like.

An anonymised SL7 pentest report: every finding with reproducer, severity rationale, business-impact, and fix path. Auditor-ready format. Request from a peer security buyer, not from a BDR.

REQUEST THE SAMPLE

Sample report

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

Why this matters

Most 'sample reports' are sanitised marketing assets.

  • Vendor-supplied samples redact the findings and replace them with stock photos. You learn nothing about the work product.

  • Without seeing severity rationale, reproducer style, and remediation tone, buyer evaluation is guesswork.

  • Auditor-ready format is what survives SOC 2 / ISO 27001 review; marketing PDFs are not auditor-ready.

Here is what we ship.

Why teams pick us

A real engagement, redacted but readable.

  • Real findings, anonymised

    Real finding severity, reproducer, and fix path. Customer identifiers and asset names redacted, structure intact.

  • Auditor-format

    Same format auditors accept for SOC 2 CC7.1 and ISO 27001 A.8.8 evidence.

  • Engineer-readable

    Reproducer + 1-3 line fix per finding. Your engineering team will use it.

How it works

Sample to scoping call on your timeline.

  1. Drop your email

    PDF sent to your work email. No sales call unless you ask.

  2. Review with the team

    Pass it around procurement, engineering, and your auditor. The format speaks for itself.

  3. Scoping call when you're ready

    When you're ready, 20-minute scoping call with the lead pentester.

Research ledger,

Coordinated disclosures published by SL7 research.

The same researchers run your engagement.

Full advisories index

What founders say

Thank you for being our pentest partners. Our user base is safer because of y'all.
Vinay Hiremath

Vinay Hiremath

Co-founder, Loom

View tweet

Common questions

What buyers ask before they sign.

Will SL7 reach out after?
Only if you check the opt-in. Most buyers review the sample first, schedule the scoping call later.
Is the sample redacted?
Customer identifiers and asset names yes. Finding severity, reproducer, and fix path stay intact.
Is this the format auditors want?
Yes. Same structure used by buyers across SOC 2 CC7.1 and ISO 27001 A.8.8 evidence files.
Multiple sample reports?
We typically share one. If your evaluation needs a different asset class (mobile, smart contract, red team), ask in the form.
Cost?
Free. We send the PDF to your work email.

Ready to see a real pentest report?

Drop your work email. Anonymised CREST-format sample arrives in your inbox.

CREST · CERT-In · SOC 2 · ISO 27001