Sample report

Sample product security testing report

A redacted example of what Appsecco delivers after scoped, non-disruptive testing of apps, APIs, cloud/IAM, and AI integrations - structured findings, evidence, and fix guidance you can share internally.

Read-only preview with no client data and no commitment required.

What's inside

Each section is structured to make internal review straightforward and follow-up work clear.

  • Executive summary and scope

    Risk themes, business impact, and a clear record of what was tested and what was out of scope.

  • Methodology overview

    How testing was performed, the assumptions used, and the evidence standard applied.

  • Findings with evidence

    Reproducible steps, supporting artifacts, and severity rationale for each issue.

  • Cloud, IAM, and Kubernetes posture

    Key configuration observations with prioritized fixes and ownership clarity.

  • Remediation guidance

    Practical code or configuration changes, plus validation steps to confirm the fix.

  • Audit-ready appendices

    Screenshots, request/response snippets, and references that make reviews defensible.

  • Attestation letter (optional)

    A signed letter can be provided on request for compliance needs.

Preview the attack-chain narrative

The report walks through how an attacker moves through your product, then ties each step to the exact test method used. This is why Appsecco tests the way it does: to capture realistic paths, not isolated alerts.

Redacted PDF preview. If the viewer doesn't load, use the thumbnails below or download the PDF.

Download the sample report PDF

Sample report cover pageSample report table of contentsSample report finding example

Example finding

Each finding is written so reviewers can see impact, evidence, and the fix path without extra context.

PST-2024-017 High Authorization

Cross-tenant access through mis-scoped object filters

This redacted example shows how the report connects a specific test to a clear, defensible conclusion.

CVSS 8.1 — Score Breakdown
8.1 /10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Network-accessible, low complexity, requires low-privilege authentication. High confidentiality and integrity impact — an attacker can read and modify data belonging to other tenants.

Business Impact

If exploited, an attacker could access or modify data belonging to another customer. For a B2B SaaS product, this is a trust-breaking event that could trigger breach notifications, contract penalties, and customer churn.

Technical Impact

The API accepts a tenant_id in the request body without validating it against the authenticated user's org. Any authenticated user can create, read, or modify resources scoped to any tenant in the system.

Evidence

A crafted request to the `/api/tests` endpoint with `tenant_id=B` is accepted while `X-Org-ID=A` is present in the authorization header.

Request
POST /api/tests HTTP/1.1
Host: app.██████.com
X-Org-ID: tenant-A-id
Content-Type: application/json

{"tenant_id": "tenant-B-id", "name": "test"}
Response
HTTP/1.1 201 Created
{"id": "███", "tenant_id": "tenant-B-id", "status": "created"}
Remediation

Enforce tenant checks at the data-access layer and add an integration test to prevent regression.

  1. Add server-side tenant validation to all write endpoints
  2. Add row-level security or equivalent query scoping
  3. Write integration tests that attempt cross-tenant operations
  4. Review all endpoints that accept tenant_id as a parameter
# Before (vulnerable)
def create_test(params):
    return Test.create(**params)

# After (fixed)
def create_test(params, current_user):
    if params['tenant_id'] != current_user.tenant_id:
        raise AuthorizationError('Cross-tenant access denied')
    return Test.create(**params)
References
  • OWASP Top 10: A01 Broken Access Control
  • CWE-639: Authorization Bypass Through User-Controlled Key

Download the sample report

Use this redacted PDF to review the structure, evidence standards, and fix guidance. No form required.

Download sample report (PDF) Talk through the report first

If you prefer, we can walk through the report and answer questions. No commitment required.

Or review See reports & deliverables.

Explore pricing and buying

Related pricing, scoping, and report resources

Move from a rough estimate into scope definition, vendor evaluation, report expectations, and internal approval.

Service

Transparent Pentest Pricing

Baseline pricing bands tied to technical surface area, with a short technical sync to lock scope and fixed price.

Guide

Your First Penetration Test

A practical buyer guide to scope, safety, communication, and what to expect before a first pentest.

Guide

Pentest RFP Template

A reusable template for evaluating vendors, clarifying scope, and making internal procurement easier.

Service

VAPT Reports, Pentest Attestations & Deliverables

See what Appsecco delivers after testing, including scope notes, evidence, remediation guidance, and attestations.

Service

Apps & API Security Testing

Manual testing for web apps, APIs, authorization, business logic, and abuse paths.

Service

Cloud, Kubernetes & IAM Security Testing

Scoped testing for IAM abuse, cloud attack paths, storage exposure, and Kubernetes security boundaries.