If you are thinking about engaging a security consulting company, at some point you will probably be wondering what you will get out of it. Asking to view a sample report is a common request. After all, the report will contain your take-aways, making it one of the most critical parts of the engagement. In fact, you should think twice about working with any security company who refuses this type of request.
Not all reports are the same, so it is important to review the sample to determine if it meets your needs. If it doesn't, don't be afraid to ask for modifications. Many security companies (including us, of course) are more than happy to make accommodations as needed.
For more details on deliverables, feel free to read What is the deliverable from a pentest article.
We want to have a sample that is as realistic as possible, without needing to redact details. The report below used a known vulnerable application, OWASP® Juice Shop. This target allows the report to have the information that is customarily redacted.
To be clear, though, we did not perform an exhaustive test of Juice Shop. There are a couple of reasons. First, no one wants to read the enormous number of pages that would generate. Second, we did not want to ruin the fun of testing Juice Shop during a training class or as a hobby.