Home Services Methodology Sample Report About Careers Contact

This is a sample report for evaluation only. All client identifiers, IP addresses, hosts, and findings have been replaced with clearly fictional or REDACTED data. No real client data appears anywhere in this document. This report does not certify compliance with any standard.

Sample Deliverable

What your report
actually looks like

This is the real deliverable format — executive summary, detailed findings mapped to NIST 800-171, and a prioritized remediation roadmap. Client data is fully redacted.

Sample — Redacted
Penetration Test Report
Northwind Fabrication LLC — REDACTED
Prepared For
Northwind Fabrication LLC — REDACTED
Prepared By
Rimrock Security
Engagement Dates
2026-04-07 – 2026-04-11
Report Version
1.0 — Final
Classification
Confidential
Testing Type
External Black-Box / Web Application
Section 01

Executive Summary

Overall Risk Rating
High

Rimrock Security performed an external network and web-application penetration test of Northwind Fabrication LLC's internet-facing infrastructure between April 7 and April 11, 2026. The objective was to identify and safely demonstrate vulnerabilities that a real attacker could exploit, and to assess readiness against relevant NIST 800-171 controls. We identified 6 findings across four severity tiers. Most notably, a chained attack path allowed an unauthenticated external attacker to gain administrative access to an internal management portal — demonstrating that automated scanning alone would have understated the true risk.

HIGH
Top Priorities — Next 30 Days
  1. Rotate all administrative credentials and enforce phishing-resistant MFA on every externally exposed interface (Critical — 4.1).
  2. Apply vendor security patches to the perimeter VPN appliance and restrict management access to internal jump host (High — 4.2).
  3. Require MFA for the supplier portal login and audit all service accounts for excessive privilege (High — 4.3).
Severity Count
Critical 1
High 2
Medium 2
Low 1
Informational 0
Section 02

Scope & Authorization

In Scope — Networks
REDACTED / 28 (external IP block)
In Scope — Domains
REDACTED — primary domain + 2 subdomains
In Scope — Applications
Supplier portal, VPN gateway, admin console
Out of Scope
Production manufacturing OT network; third-party SaaS; employee personal devices
Testing Type
External black-box / web application (grey-box for portal)
Authorization
Signed Rules of Engagement and Authorization Letter dated 2026-04-03. Emergency contact: REDACTED
Section 03

Methodology

Testing followed PTES (Penetration Testing Execution Standard), NIST SP 800-115, and the OWASP Testing Guide v4.2 across six phases: scoping and threat modeling, passive reconnaissance, active scanning and enumeration, vulnerability analysis, exploitation and attack-path chaining, and post-exploitation impact assessment. All findings were manually validated to eliminate false positives before inclusion in this report.

  • Passive recon: OSINT, certificate transparency, DNS enumeration, breach-credential lookups (HaveIBeenPwned, credential stuffing lists)
  • Active scanning: port and service enumeration, TLS configuration analysis, web application crawling and parameter discovery
  • Exploitation: authenticated and unauthenticated vulnerability chaining; no destructive payloads were executed; all access was limited to demonstrating impact
  • Post-exploitation: lateral movement simulation; no data was exfiltrated; findings were documented and access was terminated

See Appendix A for the full tool inventory.

Section 04

Findings

4.1 Critical

Reused Administrative Credentials Enable Internal Access

CVSS Score
9.1 (Critical)
CVSS Vector
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Affected Asset
Admin console — REDACTED
NIST 800-171 Controls
3.5.7 3.1.1 3.5.3
Description

An exposed administrative login at [REDACTED] accepted credentials recovered from an unrelated, publicly disclosed breach (2024). Because the same username and password combination was reused across systems, an external attacker could authenticate without any prior internal access or brute-force activity — the login succeeded on the first attempt using breach data.

Impact

Full administrative control of the management console provided a direct pivot point into the internal server segment. Combined with Finding 4.2 (unpatched VPN appliance), this enabled authenticated lateral movement to [REDACTED internal segment] without triggering any existing monitoring alerts.

Evidence
Screenshot / Request-Response — REDACTED
Reproduction Steps
Query publicly available breach databases for the target domain to retrieve candidate credential pairs.
Navigate to [REDACTED admin URL] — the interface is publicly reachable with no IP restriction or rate limiting.
Authenticate using recovered credentials. Observe full administrative access to [REDACTED function].
From the admin console, use built-in file manager to pivot to internal file share at [REDACTED].
Remediation
Force an immediate password reset for all administrative accounts; screen new passwords against known-breached lists (HaveIBeenPwned API) — addresses NIST 3.5.7.
Enroll all external admin interfaces in phishing-resistant MFA (FIDO2/hardware key or TOTP as a minimum) — addresses NIST 3.5.3.
Restrict the admin console to an allow-listed IP range (internal VPN egress or known admin workstation IPs) — addresses NIST 3.1.1.
Implement failed-login alerting and account lockout (5 attempts) on all externally exposed management interfaces.
Remediation Priority Immediate — within 7 days
4.2 High

Unpatched VPN Appliance Exposes Pre-Auth RCE

CVSS Score
8.1 (High)
CVE Reference
CVE-2024-REDACTED
Affected Asset
VPN gateway — REDACTED
NIST 800-171 Controls
3.14.1 3.14.2 3.1.12
Description

The perimeter VPN appliance was running firmware two major versions behind the vendor's current release. The installed version contains a publicly documented pre-authentication remote code execution vulnerability disclosed in Q3 2024. Exploit code is available in the wild. The management interface was reachable directly from the internet with no IP restriction.

Impact

A remote unauthenticated attacker could execute arbitrary commands on the VPN appliance, intercept VPN tunnels, harvest credentials in transit, and pivot to the internal LAN segment. This vulnerability was used in combination with Finding 4.1 during the engagement to demonstrate chained lateral movement.

Evidence
Version banner / PoC command output — REDACTED
Remediation
Apply the vendor's latest firmware update immediately; subscribe to vendor security advisories — addresses NIST 3.14.1 and 3.14.2.
Restrict the VPN management interface to a dedicated internal jump host; remove public internet reachability — addresses NIST 3.1.12.
Verify no indicators of compromise exist on the appliance prior to patching (check for unauthorized admin accounts, unusual cron jobs, or unexpected outbound connections).
Remediation Priority Immediate — within 7 days
4.3 High

Supplier Portal Lacks Multi-Factor Authentication

CVSS Score
7.5 (High)
Affected Asset
Supplier portal — REDACTED
NIST 800-171 Controls
3.5.3 3.1.1
Description

The externally accessible supplier portal authenticates users with username and password only. No MFA enrollment is required or offered. The portal exposes order status records, delivery schedules, and part specifications that may contain Controlled Unclassified Information (CUI). No account lockout was observed after repeated failed login attempts — credential stuffing attacks would proceed without friction.

Impact

An attacker with access to a single compromised supplier credential (available via breach databases) could access CUI-adjacent records without triggering any lockout, potentially placing the organization in violation of DFARS 252.204-7012 and NIST 800-171 control 3.5.3.

Remediation
Require MFA enrollment for all supplier portal accounts prior to granting access to any data — addresses NIST 3.5.3.
Implement account lockout after 5 consecutive failed attempts with a 15-minute cooldown and alerting to IT.
Audit supplier accounts for any that have not logged in within 90 days; disable or remove stale accounts to reduce the attack surface — addresses NIST 3.1.1.
Remediation Priority Short-Term — within 30 days
4.4 Medium

Verbose Error Pages Disclose Stack Traces and Internal Paths

CVSS Score
5.3 (Medium)
Affected Asset
Web application — REDACTED
NIST 800-171 Controls
3.13.3
Description

Triggering an application error (e.g., submitting a malformed request) causes the web application to return a full stack trace including the server-side framework version, absolute file system paths, database connection string parameters (without credentials), and the names of internal software components. This information materially assists an attacker's reconnaissance and was instrumental in identifying the attack vectors exploited in this engagement.

Remediation
Disable debug mode and verbose error reporting in the production web application configuration; return generic error pages with a reference code instead of stack traces.
Ensure error details are logged server-side and accessible to developers without being surfaced to end users or in HTTP responses.
Remediation Priority Short-Term — within 30 days
4.5 Medium

TLS 1.0 / 1.1 Enabled on External Web Server

CVSS Score
5.9 (Medium)
Affected Asset
Web server — REDACTED
NIST 800-171 Controls
3.13.8 3.13.10
Description

The external web server accepts connections over TLS 1.0 and TLS 1.1, both of which are deprecated and known to be vulnerable to protocol downgrade attacks (POODLE, BEAST). NIST SP 800-52 Rev. 2 and PCI DSS 4.0 both require disabling TLS versions prior to 1.2. TLS 1.3 support was not observed.

Remediation
Disable TLS 1.0 and TLS 1.1 at the web server and load balancer configuration; require TLS 1.2 as a minimum — addresses NIST 3.13.8 and 3.13.10.
Enable TLS 1.3 support and prefer ECDHE cipher suites with forward secrecy. Validate configuration with the SSL Labs Server Test (target grade A or A+).
Remediation Priority Medium-Term — within 90 days
4.6 Low

Missing Security Headers on Public-Facing Web Properties

CVSS Score
3.7 (Low)
Affected Asset
All public-facing domains — REDACTED
NIST 800-171 Controls
3.13.3
Description

HTTP responses from all tested web properties were missing recommended security headers: Content-Security-Policy, X-Frame-Options, Referrer-Policy, and Permissions-Policy. While these headers alone do not represent exploitable vulnerabilities, their absence reduces defense-in-depth and can facilitate clickjacking and cross-site scripting attacks if other vulnerabilities arise.

Remediation
Add a restrictive Content-Security-Policy, X-Frame-Options: DENY, and Referrer-Policy: strict-origin-when-cross-origin to all web server or CDN configurations.
Use securityheaders.com to validate the resulting header set post-deployment.
Remediation Priority Low-Term — within 90 days
Section 05

NIST 800-171 / CMMC Control Mapping

The table below maps each finding directly to the NIST SP 800-171 Rev. 2 controls it violates or weakens. This table is intended to serve as supporting evidence for your System Security Plan (SSP) and Plan of Action & Milestones (POA&M) submissions.

Finding Severity 800-171 Controls Control Description Status
4.1 — Reused admin credentials Critical 3.5.7 3.1.1 3.5.3 Password complexity & reuse; limit system access; MFA for privileged access Not Met
4.2 — Unpatched VPN appliance High 3.14.1 3.14.2 3.1.12 Flaw remediation; security alerts & patches; monitor remote access Not Met
4.3 — Supplier portal — no MFA High 3.5.3 3.1.1 MFA for network access to CUI systems; limit system access to authorized users Not Met
4.4 — Verbose error pages Medium 3.13.3 Employ architectural designs and implementation that promote security Partially Met
4.5 — TLS 1.0 / 1.1 enabled Medium 3.13.8 3.13.10 Implement cryptographic mechanisms to protect CUI in transit; manage cryptographic keys Not Met
4.6 — Missing security headers Low 3.13.3 Employ architectural designs and implementation that promote security Partially Met
Section 06

Remediation Roadmap

Priority Window Findings Recommended Owner Key Actions
Immediate 7 days 4.1, 4.2 IT / MSP — REDACTED Force credential rotation; enable MFA on admin console; patch VPN firmware; restrict management interfaces to internal IPs
Short-Term 30 days 4.3, 4.4 IT / Dev Team — REDACTED Enforce MFA on supplier portal; implement account lockout; disable debug/verbose errors in production; audit stale accounts
Medium-Term 90 days 4.5, 4.6 IT / Web Dev — REDACTED Disable TLS 1.0/1.1; enable TLS 1.3; deploy security headers on all public-facing properties; validate with SSL Labs and securityheaders.com
Included re-test: Rimrock Security will re-test all remediated findings at no additional charge within 30 days of the client notifying us of completion. Re-test results are documented in a follow-up addendum and can be included in POA&M evidence packages.
Section 07

Appendices

A
Tools & Approach
Nmap, Burp Suite Pro, testssl.sh, Nikto, OSINT framework (HaveIBeenPwned, Shodan, crt.sh). All exploitation was performed manually; no automated exploit frameworks were run against production systems.
B
Tested Hosts & Endpoints
Full list of tested IP addresses, hostnames, URLs, and application endpoints. Fully REDACTED in this sample version.
C
Glossary
Plain-language definitions for non-technical readers: CVSS scoring, attack path, lateral movement, CUI, POA&M, SSP, and DFARS 252.204-7012.
D
Engagement Contacts & Authorization
Copies of signed Authorization Letter, Rules of Engagement, and engagement-period emergency contact information. Fully REDACTED in this sample version.
This sample is provided for evaluation purposes only and contains no real client data. All client identifiers, IP addresses, hostnames, and findings are fictional or REDACTED. This document does not certify compliance with NIST 800-171, CMMC, or any other standard.
© 2026 Rimrock Security LLC. All rights reserved.

Ready to see what's in your network?

Every engagement delivers a report like this one — actionable findings, NIST 800-171 mapping, and a clear roadmap your team can execute.

Schedule Your Assessment → Free 800-171 Gap Check