📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
🧪 DVWA LAB SERIES
FREE
Part of the DVWA Complete Lab Series
Lab 28 of 30 · 93% complete
⚠️ Lab Environment Only: The findings documented in DVWA Pentest Report Lab come from DVWA running on your own local machine. Report writing skills transfer to authorised engagements only. Never document findings from systems you do not have explicit written authorisation to test.
I have reviewed hundreds of pentest reports submitted by junior practitioners applying for roles on my team. The pattern is consistent: the technical work is solid — they found real vulnerabilities, they exploited them cleanly, they have the screenshots. But the reports do not communicate what they found. The executive summary is three bullet points that mention SQL injection and XSS without explaining why those things matter to the business. The findings are technically accurate but the remediation sections say “implement proper input validation.” The CVSS scores are missing or wrong. The report does not tell the story that makes a client act.
Report writing is the skill that closes the gap between finding vulnerabilities and getting paid to find them. A client cannot implement what they cannot understand. A hiring manager cannot evaluate skills they cannot read. Lab 28 is where you document everything you found in DVWA Labs 1 through 27 in a professional deliverable format — the same structure I use for client engagements. By the end of this lab you will have a complete pentest report you can show in interviews, submit as a portfolio piece, and adapt as a template for your first paid engagement.
🎯 What You’ll Master in Lab 28
Write a professional executive summary that communicates risk to a non-technical audience
Calculate accurate CVSS v3.1 scores for each DVWA finding category
Write complete technical finding write-ups with evidence, reproduction steps, and remediation
Structure a full pentest report in the format used by professional consultancies
Write specific source-informed remediation recommendations (from Lab 27 source code review)
Produce a portfolio-ready report document that demonstrates professional competency
⏱️ Lab 28 · 3 exercises · Writing + DVWA + Report tool of choice ### ✅ Prerequisites - Lab 27 — Source Code Review — your remediation recommendations will cite the Impossible-level source code as the correct fix; Lab 27 knowledge is required - Screenshots from at least 5 DVWA labs (SQL injection, XSS, command injection, CSRF, file inclusion) ready for the evidence section - Burp Suite HTTP request/response captures from your DVWA sessions — the requests go in the evidence appendix - A word processor, Google Docs, or Markdown editor — the report format is your choice ### 📋 DVWA Pentest Report Lab 28 — Contents 1. Professional Report Structure — The Complete Template 2. Executive Summary — Writing for Non-Technical Readers 3. CVSS v3.1 Scoring — Getting the Numbers Right 4. Technical Finding Write-Up — The Complete Format 5. Evidence Documentation — Screenshots and Request Captures 6. Remediation Recommendations — Specific and Actionable Labs 1 through 27 built your technical exploitation and source review skills across every major DVWA vulnerability class. Lab 28 is the capstone — turning everything you found into a document that communicates those findings professionally. The DVWA lab series concludes at Lab 30 with advanced exploitation chaining. This report becomes the documentation for that chain as well.
Professional Report Structure — The Complete Template
Professional penetration test reports follow a consistent structure across the industry. The structure matters because clients and their security teams know what to expect and where to find specific information. Deviating from it adds friction. Here is the complete section order I use on every engagement.
PENTEST REPORT STRUCTURE — COMPLETE SECTION ORDERCopy
── SECTION 1: COVER PAGE ──────────────────────────────────────
Report Title: Web Application Penetration Test Report
Client: [Client Name]
Engagement Dates: [Start Date] — [End Date]
Report Date: [Delivery Date]
Prepared By: [Name / Organisation]
Classification: CONFIDENTIAL
── SECTION 2: EXECUTIVE SUMMARY (1 page max) ──────────────────
Overall risk rating, findings count by severity, key message
Written for non-technical audience — no jargon
── SECTION 3: SCOPE AND METHODOLOGY ──────────────────────────
Targets tested, testing approach, tools used, testing period
What was out of scope, any testing constraints
── SECTION 4: FINDINGS SUMMARY TABLE ─────────────────────────
Finding | Severity | CVSS Score | Status
All findings in one table — sortable by severity
── SECTION 5: TECHNICAL FINDINGS (one sub-section per finding)
5.1 [Critical Finding Title] — CVSS 9.8
5.2 [High Finding Title] — CVSS 8.0
5.3 [Medium Finding Title] — CVSS 5.3
[… continue for all findings, severity descending]
── SECTION 6: REMEDIATION ROADMAP ────────────────────────────
Priority order for remediation, estimated effort per finding
Quick wins (low effort, high impact) listed first
── APPENDIX A: TOOL OUTPUT ────────────────────────────────────
Raw Burp Suite exports, Nmap output, SQLMap output if used
── APPENDIX B: METHODOLOGY REFERENCES ────────────────────────
OWASP Testing Guide version, CVSS v3.1, any relevant CVEs
🧠 EXERCISE 1 — THINK LIKE A HACKER (20 MIN · NO TOOLS)
Triage and Severity-Rank All Your DVWA Findings Before Writing
⏱️ 20 minutes · No tools needed — just your lab notes
Before writing a word of the report, professional pentesters triage all findings and sort them by severity. Getting the severity wrong changes the client’s response — a Critical that is filed as Medium gets deprioritised. A Low that is filed as Critical creates panic where none is needed. Work through this triage exercise before opening your report template.
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)