Skip to content

Skill reference: security-pentest

The security-pentest skill authors one document genre: a dual-audience penetration-test report — an Executive Summary for leadership and a Technical Report for engineers, drawn from a single evidence base, following the Penetration Testing Execution Standard (PTES) reporting model with an OWASP-style findings discipline. This reference describes what that document type is, how the skill produces one, when it earns its place, and the provenance behind it.

PropertyValue
AuthorsA dual-audience penetration-test engagement report
Purpose groupRegulated & compliance reports
MIF conceptTypesemantic
Target MIF level3
Primary sourcePTES / OWASP Web Security Testing Guide

A penetration-test report is a single deliverable that serves both an executive reader and an engineering reader from one evidence base. It opens with a required Authorization & Scope Statement — the engagement authorization, in-scope targets, rules of engagement, and testing window — because this genre is for authorized engagements only. Part 1, the Executive Summary, covers Background, Posture, Risk Profile, General Findings, Recommendation Summary, and Strategic Roadmap at business altitude. Part 2, the Technical Report, covers Information Gathering, Vulnerability Assessment, Exploitation/Confirmation, and Post-Exploitation at operational altitude, and closes with the genre’s center of gravity: a mandatory severity-ranked findings table mapping every surviving finding to a CVSS-scored severity, affected assets, evidence, and remediation. A report without that table is not a conformant penetration-test report.

This is distinct from a controls-vs-framework compliance mapping, from a tactical single-alert response procedure, and from a strategic multi-incident coordination procedure — it is an evidence-based, exploitation-verified engagement report, so it projects to MIF as semantic content at Level 3.

security-pentest is a genre skill: it carries the PTES/OWASP-style pattern as durable instructions plus exemplars, and writes the artifact over a MIF floor so the result is at once a human-readable engagement report and a machine-conformant unit.

  • Pattern, made operational. The skill encodes the Authorization & Scope Statement plus the two-part structure, and treats the Risk/Remediation findings table as mandatory matter rendered as a Markdown table, never ASCII art or an image. It requires every claim — reconnaissance result, vulnerability, exploitation step, and severity rating — to trace to a finding and its evidence, keeps the two audiences distinct (no exploit primitives in the Executive Summary, no business-only hand-waving in the Technical Report), and requires severity to be scored against a current, cited rubric verified live at authoring time rather than a fixed edition baked in as settled fact.
  • Exemplars set the bar. Like every genre in the suite it ships good-l1.md (the MIF Level-1 floor), good.md (the Level-3 target), bad.md (a counter-example missing the findings table), and evals/evals.json. The check-exemplars gate proves good-l1.md validates at L1 and good.md at Level 3.
  • MIF projection. The document is authored with MIF frontmatter (via the shared mif-frontmatter substrate) and a conceptType of semantic. mif-validate proves the Markdown ↔ JSON-LD round-trip is lossless.

Reach for security-pentest when the deliverable is an authorized penetration-test engagement report that must brief executives and equip remediation engineers from the same evidence base — the severity-ranked findings table is the artifact’s reason to exist, and exhaustive coverage of the surviving-findings corpus (never a cherry-picked subset) is what makes the report trustworthy to both readers.

Do not use it for a controls-vs-framework compliance mapping (NIST CSF / SP 800-series control coverage, audit attestation) — that is a nist-sp or compliance-audit genre: framework-driven control assessment, not an authorized offensive-testing engagement with exploitation evidence. Do not use it for a tactical, step-by-step response to one alert or incident — that is a sre-runbook: a reactive operational procedure, not a scoped, authorized testing engagement with findings and CVSS severity. Do not use it for a strategic, multi-incident coordination procedure across roles — that is a playbook: operational coordination, not an evidence-based engagement report.

A report titled “Penetration Test Report: Brightleaf Retail — External Web Application Assessment” opens with an Authorization & Scope Statement citing the signed statement of work, in-scope hosts, and testing window. The Executive Summary assesses the storefront’s posture as weak given a critical authentication-bypass finding and an unauthenticated staging admin panel exposed to the internet, and closes with a phased Strategic Roadmap. The Technical Report traces reconnaissance that discovered the staging host, vulnerability assessment of a SQL-injection-prone login endpoint, confirmed (not theoretical) exploitation of the authentication bypass, and post-exploitation access to another customer’s order history. The Risk/Remediation table scores all three surviving findings — Critical, High, Medium — against CVSS v4.0, each row citing its affected asset, evidence, and concrete remediation.