DEV Community: Sai Ram Muthineni The latest articles on DEV Community by Sai Ram Muthineni (@sai_rammuthineni_097a57a). https://dev.to/sai_rammuthineni_097a57a https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3823636%2Fd030b432-0508-4b3b-9df2-e2df4c0542a1.jpg DEV Community: Sai Ram Muthineni https://dev.to/sai_rammuthineni_097a57a en How to Calculate a CVSS Score for Pentest Reports Sai Ram Muthineni Tue, 17 Mar 2026 05:11:12 +0000 https://dev.to/sai_rammuthineni_097a57a/how-to-calculate-a-cvss-score-for-pentest-reports-4pcg https://dev.to/sai_rammuthineni_097a57a/how-to-calculate-a-cvss-score-for-pentest-reports-4pcg <p>CVSS scoring is one of those things most pentesters do by feel until a client or QSA challenges a score. Then you realise you've been guessing.</p> <p>CVSS 3.1 is a formula. Once you understand the inputs, the score follows automatically. Here is how it works.</p> <p>What CVSS Actually Measures:<br> CVSS measures the characteristics of a vulnerability itself, not its risk in any specific environment. The base score assumes worst case. The attacker is motivated, the system is internet-facing, no compensating controls exist.</p> <p>That matters because clients push back constantly. "We have a WAF." "That system is internal only." Those are environmental factors that affect an adjusted score, not the base score. The base score measures the vulnerability, not the client's deployment.</p> <p>The Eight Metrics:<br> Attack Vector is about how the vulnerability is exploited. Network means it is exploitable remotely. Adjacent needs local network access. Local needs system access. Physical needs hands on the hardware. Most web bugs are Network.</p> <p>Attack Complexity is about reliability. Low means the attack works every time with no special conditions. High means specific conditions outside the attacker's control are needed.</p> <p>Privileges Required is straightforward. None means no login needed. Low means a regular user account. High means admin access is required.</p> <p>User Interaction is either None or Required. None means the attacker does it alone. Required means a victim has to click a link or take some action.</p> <p>Scope tells you whether the impact stays within the vulnerable component or spills into other systems.</p> <p>Confidentiality, Integrity, and Availability are each rated None, Low, or High. High means total loss of that property.</p> <p>How Common Findings Actually Score<br> Stored XSS stealing session cookies comes out around 8.2. SQL injection with full database read hits 9.8. An IDOR exposing other users' data lands around 6.5. Self-XSS that requires the victim to paste code themselves drops to around 4.7.</p> <p>Always include the full vector string in your report, not just the number. It lets clients and QSAs verify your scoring instead of arguing about it.</p> <p>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</p> <p>Where People Go Wrong:<br> Mixing up Attack Complexity with how hard a bug was to find. AC is about reliability of exploitation, not discovery difficulty.</p> <p>Setting Scope to Changed when the impact stays within the same component. Changed only applies when exploitation can cross into systems outside the vulnerable component's security boundary.</p> <p>Overrating Integrity impact. A note field that reflects input is not High integrity. High means the attacker can modify anything.</p> <p>Forgetting User Interaction on reflected XSS. If the victim has to click a link it is Required, which drops the score significantly compared to stored XSS that fires automatically.</p> <p>One Last Thing:<br> If you want to skip doing this manually every time, I built a free CVSS calculator that calculates the base score and outputs the full vector string instantly. Try it at pentestreportai.com/cvss-calculator and drop the vector straight into your report.</p> security cybersecurity productivity automation I spent 4 hours writing a pentest report so I built something to do it in 10 minutes Sai Ram Muthineni Sat, 14 Mar 2026 08:36:13 +0000 https://dev.to/sai_rammuthineni_097a57a/i-spent-4-hours-writing-a-pentest-report-so-i-built-something-to-do-it-in-10-minutes-5799 https://dev.to/sai_rammuthineni_097a57a/i-spent-4-hours-writing-a-pentest-report-so-i-built-something-to-do-it-in-10-minutes-5799 <p>Nobody told me how much of this job is just writing reports.</p> <p>The pentest itself is done in a day. Then you spend the next two days turning your notes into something a client can actually read. Executive summary, risk ratings, remediation steps, all written in a way that makes sense to both the technical team and the manager who has no idea what a CVE is.</p> <p>Got tired of it so I built PentestReportAI. You dump your raw findings in, pick your format, and a proper report comes out the other side. Not the generic AI garbage that sounds like it was written by a robot, actually readable professional output that you can send to a client without cringing.</p> <p>It saves you the part that actually kills your evening. Paste your findings in, get a clean professional report out. Your data never sits on our servers either, it goes straight to the AI and that's it, nothing stored, nothing logged on our end.</p> <p>Free trial at <a href="https://www.pentestreportai.com/" rel="noopener noreferrer">pentestreportai.com</a> if you want to try it. Drop any questions below.</p> security ai productivity cybersecurity