All posts
Guide·June 6, 2026·6 min

How to read a penetration test report

If you've just received your first penetration test report, it can read like a wall of jargon. Here's how to actually use it, and how to tell a serious finding from noise.

Start with severity, not the finding count

A report with forty 'lows' is less urgent than one with a single 'critical.' Severity reflects impact plus exploitability. Triage top-down: criticals and highs get fixed now; mediums get planned; lows and informational get logged. Don't let a big number panic you, let severity guide you.

Look for proof, not just a label

The most important part of any finding is the evidence: a concrete proof-of-exploit showing what an attacker could actually do, plus steps to reproduce it. A finding without proof is a guess. If your report is full of unproven 'potential' issues, you got a scan, not a pentest.

  • Severity: how bad, weighted by how exploitable.
  • CVSS: a standardized 0-10 score; useful for comparison, not gospel.
  • CWE: the vulnerability class (e.g., CWE-639 for IDOR).
  • Evidence + reproduction: the proof it's real.
  • Remediation: the specific fix, not a generic advisory.

Then plan the retest

Fixing a finding isn't done until it's verified closed. A good engagement includes a retest: you remediate, they re-run, and the report is updated to show the issue is actually resolved, which is also what your auditor wants to see.

A report you can hand to your board, your engineers, and your auditor, and have all three understand it, is the whole point.

Uvy reports are written for all three audiences from one validated run, every finding proof-backed, every fix specific, retests included.

Now booking pentests

Find what an attacker would, first.

Point Uvy at your app or API. It runs a full pentest in isolated infrastructure and returns an audit-ready report with verified, proof-backed findings. First report in days.

Request a pentestHow it works

Or write to [email protected]