Skill reference: security-pentest
Skill reference: security-pentest
Section titled “Skill reference: security-pentest”The security-pentest skill authors one document genre: a dual-audience
penetration-test report — an Executive Summary for leadership and a Technical
Report for engineers, drawn from a single evidence base, following the
Penetration Testing Execution Standard (PTES) reporting model with an
OWASP-style findings discipline. This reference describes what that document
type is, how the skill produces one, when it earns its place, and the
provenance behind it.
| Property | Value |
|---|---|
| Authors | A dual-audience penetration-test engagement report |
| Purpose group | Regulated & compliance reports |
MIF conceptType | semantic |
| Target MIF level | 3 |
| Primary source | PTES / OWASP Web Security Testing Guide |
What this document type is
Section titled “What this document type is”A penetration-test report is a single deliverable that serves both an executive reader and an engineering reader from one evidence base. It opens with a required Authorization & Scope Statement — the engagement authorization, in-scope targets, rules of engagement, and testing window — because this genre is for authorized engagements only. Part 1, the Executive Summary, covers Background, Posture, Risk Profile, General Findings, Recommendation Summary, and Strategic Roadmap at business altitude. Part 2, the Technical Report, covers Information Gathering, Vulnerability Assessment, Exploitation/Confirmation, and Post-Exploitation at operational altitude, and closes with the genre’s center of gravity: a mandatory severity-ranked findings table mapping every surviving finding to a CVSS-scored severity, affected assets, evidence, and remediation. A report without that table is not a conformant penetration-test report.
This is distinct from a controls-vs-framework compliance mapping, from a
tactical single-alert response procedure, and from a strategic multi-incident
coordination procedure — it is an evidence-based, exploitation-verified
engagement report, so it projects to MIF as semantic content at Level 3.
How the skill produces one
Section titled “How the skill produces one”security-pentest is a genre skill: it carries the PTES/OWASP-style pattern
as durable instructions plus exemplars, and writes the artifact over a MIF
floor so the result is at once a human-readable engagement report and a
machine-conformant unit.
- Pattern, made operational. The skill encodes the Authorization & Scope Statement plus the two-part structure, and treats the Risk/Remediation findings table as mandatory matter rendered as a Markdown table, never ASCII art or an image. It requires every claim — reconnaissance result, vulnerability, exploitation step, and severity rating — to trace to a finding and its evidence, keeps the two audiences distinct (no exploit primitives in the Executive Summary, no business-only hand-waving in the Technical Report), and requires severity to be scored against a current, cited rubric verified live at authoring time rather than a fixed edition baked in as settled fact.
- Exemplars set the bar. Like every genre in the suite it ships
good-l1.md(the MIF Level-1 floor),good.md(the Level-3 target),bad.md(a counter-example missing the findings table), andevals/evals.json. Thecheck-exemplarsgate provesgood-l1.mdvalidates at L1 andgood.mdat Level 3. - MIF projection. The document is authored with MIF frontmatter (via the
shared
mif-frontmattersubstrate) and aconceptTypeofsemantic.mif-validateproves the Markdown ↔ JSON-LD round-trip is lossless.
When it is beneficial
Section titled “When it is beneficial”Reach for security-pentest when the deliverable is an authorized
penetration-test engagement report that must brief executives and equip
remediation engineers from the same evidence base — the severity-ranked
findings table is the artifact’s reason to exist, and exhaustive coverage of
the surviving-findings corpus (never a cherry-picked subset) is what makes the
report trustworthy to both readers.
Do not use it for a controls-vs-framework compliance mapping (NIST CSF /
SP 800-series control coverage, audit attestation) — that is a nist-sp or
compliance-audit genre: framework-driven control assessment, not an
authorized offensive-testing engagement with exploitation evidence. Do not use
it for a tactical, step-by-step response to one alert or incident — that is a
sre-runbook: a reactive operational procedure, not a
scoped, authorized testing engagement with findings and CVSS severity. Do not
use it for a strategic, multi-incident coordination procedure across roles —
that is a playbook: operational coordination, not an
evidence-based engagement report.
Example
Section titled “Example”A report titled “Penetration Test Report: Brightleaf Retail — External Web Application Assessment” opens with an Authorization & Scope Statement citing the signed statement of work, in-scope hosts, and testing window. The Executive Summary assesses the storefront’s posture as weak given a critical authentication-bypass finding and an unauthenticated staging admin panel exposed to the internet, and closes with a phased Strategic Roadmap. The Technical Report traces reconnaissance that discovered the staging host, vulnerability assessment of a SQL-injection-prone login endpoint, confirmed (not theoretical) exploitation of the authentication bypass, and post-exploitation access to another customer’s order history. The Risk/Remediation table scores all three surviving findings — Critical, High, Medium — against CVSS v4.0, each row citing its affected asset, evidence, and concrete remediation.
Provenance & citations
Section titled “Provenance & citations”- Genre source — PTES and OWASP: the Penetration Testing Execution Standard’s reporting model, http://www.pentest-standard.org/index.php/Main_Page, combined with OWASP-style findings discipline from the Web Security Testing Guide, https://owasp.org/www-project-web-security-testing-guide/.
- Skill provenance: authored by the
security-pentestskill in the mif-docs plugin, https://github.com/modeled-information-format/mif-docs-plugin; the skill’s exemplars andevals/define and verify the pattern. - MIF conformance: the document projects to canonical JSON-LD under the
MIF specification, https://mif-spec.dev, and is proven lossless by
mif-validate. - Index: this skill is one entry in the skills by purpose catalog; its operational-security siblings include sre-runbook and playbook.