Back to DocsRecipe

Recipe: Pentest finding write-up

A repeatable structure for turning raw vulnerability data into client-ready findings that drive remediation.

Ingredients

  • Raw finding notes (affected host, port, payload, response)
  • Screenshot or request/response pair
  • CVSS 3.1 vector string
  • Remediation guidance from vendor or OWASP

Structure

  1. Title [Severity] Vulnerability Name on Asset
  2. Executive Summary — two sentences: what is broken and the business impact.
  3. Technical Details — affected endpoint, HTTP method, payload, observed behavior.
  4. Evidence — inline screenshot or code block showing the exploit.
  5. CVSS Score — vector, base score, and environmental modifiers if applicable.
  6. Remediation — actionable steps with configuration snippets or patch references.
  7. References — CWE, OWASP, vendor advisory links.

Example

[High] Reflected XSS on app.target.com/search

The search parameter reflects unsanitized input into the DOM, allowing script execution in a victim's browser.

GET /search?q=<script>alert(1)</script> returns the payload verbatim inside a <div> without encoding.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N — 6.1 Medium

Remediation: apply context-aware output encoding via DOMPurify or equivalent library.

This recipe is part of the Meridian methodology library. Use it as a starting point and adapt severity ratings to your client's risk appetite.