Pentest quality assurance
a structured QA pass before any report ships

Every finding is checked against its CVSS 3.1 vector and the environment context. The reviewer challenges the call when the attack vector, attack complexity, privileges required, scope, and impact metrics do not line up with the evidence on the finding. A draft severity inflated by tooling defaults or a default risk matrix gets corrected before the executive summary inherits the wrong headline number.

Reproduction steps are concrete, payloads are sanitised, screenshots show the relevant state rather than the whole desktop, and request and response captures are attached on the finding. The reviewer reads each entry as a developer would, and asks for a second screenshot or a curl reproduction wherever the evidence stops short of letting an engineer reproduce the issue without messaging the tester.

Remediation guidance is verified for developer-readiness. Generic copy ("apply input validation", "follow least privilege") is rewritten to point at the specific configuration, library, or code path that needs to change. The 300+ remediation template library is the starting point, not the ceiling. The reviewer trims, sharpens, and adds the environment-specific note that turns guidance into an action.

The reviewer checks for finding-level duplication that survived the import or the tester pass. The same TLS misconfiguration filed twice under two titles, or two findings against the same parameter under different CWEs, is consolidated before delivery. Duplicate-prone patterns get cross-checked against the workspace history so the deliverable counts each issue once.

Each finding is checked against its CWE ID and, where applicable, its OWASP Top 10 or OWASP ASVS category. Mismatched taxonomy is corrected so downstream filters, remediation roadmaps, and retest scoping operate on a consistent vocabulary. Compliance evidence requests against ISO 27001, SOC 2, PCI DSS, or CREST audits expect this alignment to hold.

The reviewer confirms each finding sits inside the agreed scope, references the correct asset, and is consistent with the methodology section of the report. Out-of-scope findings either get repositioned (informational, accepted-risk, or follow-up advisory) or removed. Methodology drift between what was agreed and what got tested is flagged for the engagement lead before sign-off.

Reviewer comments live in Slack, Teams, or email rather than on the finding. Three weeks later, nobody can answer why severity was downgraded, why a finding was dropped, or which version of the report the engagement lead actually approved. The audit trail starts at the published PDF rather than at the QA conversation that shaped it.

The engagement closes with the report shipped, but the engagement record does not capture who reviewed it. CREST, ISO 27001, and client procurement audits all expect a named technical reviewer separate from the test author. Without it, the firm cannot demonstrate independent QA when an auditor asks.

A reviewer rebases severity on intuition rather than working through the CVSS 3.1 vector against the evidence. The first call is replaced with a different first call. The next reviewer disagrees again. Severity churn between reviewers signals that the team is calibrating against vibes rather than against the documented metrics.

The reviewer signs off on Tuesday, the tester edits three findings on Wednesday, and the report ships on Thursday with the original sign-off attached. The approval points at the wrong version. Tying sign-off to the engagement state at approval time, with a state freeze on findings until publication, prevents this drift.

When QA is one pass through the document with no loop back to the tester, comments either get applied silently (the reviewer never sees the resolution) or get ignored (the comment is closed because the deadline arrived). A multi-pass loop with explicit comment resolution status keeps both sides accountable.

A finding without a reproduction step, without a request and response capture, or without a clean screenshot still gets shipped because the deadline pressure overruled the reviewer flag. Three months later the client cannot reproduce, the regression is missed, and the firm is on the hook for a finding it cannot defend.

The tester who logged the findings during the engagement. Owns reproduction evidence, severity drafts, and the first pass at remediation guidance. Resolves QA comments by editing the finding directly, attaches additional evidence the reviewer asks for, and pushes back with a rationale on the finding when severity calls are contested.

A senior tester who did not run the engagement. Walks every finding for the six review dimensions, leaves comments inline, and either resolves or escalates each one with the engagement lead. Independent of the test author so the firm can demonstrate separation of duties to clients and auditors.

Owns the deliverable, signs off when the QA bar is met, and records the approval against the engagement. Adjudicates open comments where the test author and the peer reviewer disagree, captures the decision rationale on the affected finding, and confirms the executive summary headline reconciles with the technical findings count.

For regulated engagements (CREST, financial sector TLPT, public-sector contracts), an additional compliance reviewer confirms methodology, scope, and evidence handling line up with the framework. SecPortal records this review as a separate role on the engagement so the audit trail distinguishes technical QA from compliance QA.

QA takes the output of scanner result triage and pentest evidence management once the test is closed, and feeds the signed deliverable into pentest report delivery and retesting. When a delivered finding gets contested, pentest finding dispute resolution picks up the same record and runs an independent re-evaluation rather than letting the pushback live in email.

QA is one phase inside pentest project management. The reviewer reads each finding against the methodology categories, schedule, and entry and exit criteria captured in the engagement test plan, so methodology drift and coverage gaps surface against the same plan the team was scoped on. The engagement lead schedules QA against the delivery deadline, names the reviewer, and tracks comment-resolution progress alongside scope, evidence, and findings on the same record.

Severity calls are documented against the CVSS vector, evidence supports outsider reproduction, remediation is developer-ready, and the executive summary reconciles with the technical findings. When a client asks why a finding was rated High, the answer is on the finding rather than in someone is memory.

Named reviewer, comment history, severity rationale, sign-off timestamp, and approved report version all live on the engagement record. CREST, ISO 27001, and client procurement audit answers come from the record rather than from a reconstruction.