Sample Report · Anonymised

What you get back.
Walked through, not handed over.

Below is a structural walkthrough of the AxVeil VAPT report. All data, URLs, and findings on this page are illustrative — clearly labelled Sample — and do not refer to any real engagement. A redacted real sample is available after a short NDA.

Findings
24
across web + API surface
Test days
12
manual-led, tool-assisted
Endpoints
180+
enumerated & in scope
Retest
Incl.
one round, no extra fee
01 — Executive Summary

One page. Board-ready. Risk in business language.

The executive summary is the only page most non-technical stakeholders will read. It opens with a single risk verdict, lists the top three findings in plain English, and closes with a prioritised remediation queue. No CVSS jargon, no hex colour-coded matrices — just what an executive needs to make a decision.

Sample · Anonymised

Findings by Severity

Total

24

  • Critical4%1
  • High13%3
  • Medium25%6
  • Low38%9
  • Informational21%5

Sample data — severity counts are illustrative, not from a real engagement.

Sample · Anonymised

Engagement Executive Summary

Acme SaaS Inc. · Web + API VAPT · Q3 sample window

Risk verdict

HIGH — REMEDIATION REQUIRED

Top Three Findings

01
Critical

Authentication bypass on /api/v2/admin via header injection

Full administrative takeover reachable pre-auth from the public internet.

02
High

Server-side request forgery in document-import flow

Cloud metadata service reachable; IAM credential exfiltration path confirmed.

03
High

IDOR on /api/v2/users/{id}/invoices

Cross-tenant invoice disclosure; PII and billing data exposed.

Remediation Priorities

  1. P1Patch the header-trust logic on the admin API surface — short-term mitigation via WAF rule, permanent fix in middleware.
  2. P2Restrict the document-import worker's outbound network to an allow-list of known dependencies; deny 169.254.169.254 explicitly.
  3. P3Replace sequential IDs on the invoice resource with opaque UUIDs and enforce tenant scoping on every query.
02 — Technical Finding Card

One finding, every detail your engineers need.

Every finding ships in a structured card with the same fields — title, severity, CVSS v3.1 vector, CWE, OWASP mapping, affected endpoint, evidence, remediation, and retest status. Below is the full anatomy of one card; in the report itself, each finding occupies one to three pages depending on the complexity of the chain.

Sample · Anonymised · FND-002

Server-side request forgery in document-import flow

HIGH

CVSS v3.1

8.6

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-918

OWASP

A10:2021 / API7:2023

Business Impact

An authenticated low-privilege user can coerce the import worker into reaching the cloud metadata service, exposing a path to IAM credential theft and lateral movement into the customer's cloud account.

Affected Endpoint

POST https://app.example-sample.test/api/v2/documents/import

Reproducible Evidence

Sample request — anonymised host, redacted token

POST /api/v2/documents/import HTTP/1.1
Host: app.example-sample.test
Authorization: Bearer eyJhbGc[...]REDACTED
Content-Type: application/json

{ "source_url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/" }

Sample response — IAM role name returned (redacted)

HTTP/1.1 200 OK
Content-Type: application/json

{ "status": "imported", "preview": "ec2-app-worker-role-REDACTED\n" }

Remediation Steps

  1. Validate the source_url against an allow-list of approved external hostnames before fetching.
  2. Deny outbound requests to RFC1918 ranges, link-local (169.254.0.0/16), and the cloud metadata service from the import worker.
  3. Use IMDSv2 with hop-limit 1 on the underlying EC2 / equivalent compute to defeat unauthenticated metadata access.
  4. Add a regression test that asserts the import endpoint refuses metadata-style URLs.

Retest Status

Closed — re-validated 22 days post-remediation

CLOSED
03 — Methodology Behind the Findings

Every finding is the output of a repeatable process.

A report is only as credible as the method that produced it. AxVeil engagements are manual-led and tool-assisted, mapped to recognised standards at every phase — so the deliverable is defensible to your auditors, not a wall of scanner output.

  1. Scoping & threat modelling

    Map the attack surface, agree rules of engagement, and prioritise the assets that matter to the business before a single packet is sent.

    • PTES
    • OWASP WSTG
    • MITRE ATT&CK

  2. Reconnaissance & enumeration

    Enumerate endpoints, auth flows, roles, and trust boundaries — combining automated discovery with manual review of every distinct surface.

    • OWASP WSTG-INFO
    • OSSTMM

  3. Manual-led exploitation

    Operators chain weaknesses by hand — auth bypass, SSRF, IDOR, injection — proving real impact rather than reporting scanner noise.

    • OWASP Top 10
    • OWASP API Top 10
    • CWE

  4. Validation & scoring

    Every finding is reproduced, captured with evidence, and scored on CVSS v3.1 with the full vector so triage is defensible to auditors.

    • CVSS v3.1
    • CWE

  5. Reporting & retest

    Deliver the report, walk your team through remediation, then re-validate fixes and update each finding's retest status — at no extra cost.

    • SOC 2
    • ISO 27001
    • PCI DSS v4.0
04 — Compliance Crosswalk

Findings mapped to the controls your auditor will ask about.

Each finding is mapped to the relevant controls across SOC 2, ISO 27001, PCI DSS v4.0, and India's DPDP Act 2023. Auditors and customer-trust teams typically request the crosswalk first; the technical detail follows.

FindingSOC 2ISO 27001PCI DSS v4.0DPDP Act 2023
FND-001 Authentication bypassCC6.1, CC6.6A.5.15, A.8.3Req. 8.2, 8.3Sec. 8(4), 8(5)
FND-002 SSRF in import flowCC6.6, CC7.1A.8.20, A.8.23Req. 1.3, 6.2Sec. 8(5)
FND-003 IDOR cross-tenantCC6.1, CC6.3A.5.15, A.8.3Req. 7.2, 8.2Sec. 8(4), 9(1)
FND-004 Stored XSS in profileCC7.1A.8.28Req. 6.2.4Sec. 8(5)
FND-005 Outdated TLS ciphersCC6.7A.8.24Req. 4.2Sec. 8(5)

Sample data — control IDs are illustrative

05 — Format Options

Same data. Three formats. No version skew.

Reports ship in PDF, JSON, and CSV — generated from the same source-of-truth dataset. There is no risk of the spreadsheet saying one thing and the PDF saying another.

PDF

.pdf

Signed deliverable for board, audit, and customer-trust packages.

Cryptographically signed; matches the JSON / CSV exports byte-for-byte on findings data.

JSON

.json

Machine-readable ingestion into your vulnerability-management platform or ticketing system.

Schema documented in the engagement appendix; one finding per object, CVSS v3.1 vector preserved.

CSV

.csv

Spreadsheet triage for engineering leads who want to filter by severity, owner, or service.

Columns: id, severity, title, cvss_score, cvss_vector, cwe, owasp, owner, status, retest_status.

Want to see the real thing?

A redacted real sample report is available after a short mutual NDA. Drop us a line — we'll send the NDA template, and the sample lands in your inbox the same business day.

Request the Full SampleRead the Methodology