[ METHODOLOGY / SAMPLE.DELIVERABLE ]

Every finding, reproducible.
Every remediation, exact.

Our reports are written to be read — by executives, developers, auditors, and your future self 18 months from now. Here's the structure every engagement ships with.

> REPORT STRUCTURE

Six sections.

Executive Summary

Board-ready narrative. 1–2 pages. Risk posture, critical paths, remediation priority.

Engagement Overview

Scope, rules of engagement, timeline, data handled, safety rails invoked.

Findings

Every finding: severity, CVSS, impact, reproducible evidence, exact remediation, retest criteria.

Attack Narrative

How we chained findings into a coherent story an attacker would actually follow.

Remediation Roadmap

Prioritised backlog: quick wins, systemic fixes, architectural recommendations.

Appendix

Tool output, raw evidence, test IDs, framework mapping tables, chain-of-custody.

> FINDING TEMPLATE

What a single finding looks like.

Each finding carries enough context that any engineer on your team could reproduce, remediate, and verify without our help.

finding_F-042.md

● CRITICAL CVSS 9.1 · #F-042

Authenticated SSRF → Cloud Metadata → Domain Admin

Impact: Low-privileged authenticated user can escalate to Domain Admin in ~4 minutes via SSRF in the report-preview endpoint, reaching EC2 instance metadata and pivoting to AD through an over-permissive EC2 role.
Evidence: HTTP request/response captures, PoC Python script, 90-second screen recording, IAM policy graph showing privilege path.
Remediation: Validate URL host against allow-list in PreviewController.java:114
Remove iam:PassRole from the webapp EC2 role
Enforce IMDSv2 on all EC2 instances
Retest window: 60 days, no additional cost.

[ STUB — link out to redacted PDF sample + per-service deliverable examples per 05-content-matrix.md §9.1 ]

Scope an engagement

Every finding, reproducible. Every remediation, exact.