// SAMPLE REPORT · PENTEST
Pentest report for api.example.com.
The post-scan output from the new pentest reporting flow: verified domain context, coverage by engine, an executive summary, and normalized findings that teams can act on quickly.
Overall risk: High·Verified domain: example.com
High
1
findings
Medium
1
findings
Low
1
findings
Engines
2
completed
Failed engines
0
no errors
Coverage
nucleicompleted
api-fuzzcompleted
Executive summary
High
1
Medium
1
Low
1
Failed engines
0
Findings
high
Wildcard CORS policy on authenticated endpoint
https://api.example.com/user/profile
Evidence: Access-Control-Allow-Origin: *
Restrict origins and disable credentialed cross-origin responses for untrusted callers.
medium
OpenAPI spec exposed publicly
https://api.example.com/openapi.json
Evidence: 200 OK without authentication
Restrict access to production specs or serve a filtered public document.
low
Security headers missing on root application
https://api.example.com
Evidence: Missing Content-Security-Policy and X-Frame-Options
Add a baseline security header policy and validate it in staging before rollout.