The terms a pentest report puts in front of your CTO and your auditor.

Glossary of penetration testing terms

Authenticated penetration testing

Penetration testing performed while logged in as a real application user. Tests authorization, privilege escalation, and tenant-isolation controls that an unauthenticated tester cannot reach.

Attestation letter

A signed letter on the testing firm’s letterhead summarizing the engagement scope, dates, and high-level results. Used as evidence in SOC 2, ISO 27001, and customer trust packages.

BOLA (Broken Object-Level Authorization)

An API vulnerability where the server returns or modifies data for an object the requesting user is not authorized to access, typically by trusting an ID supplied in the request. Listed as API1 in the OWASP API Security Top 10.

BFLA (Broken Function-Level Authorization)

An API vulnerability where the server lets a lower-privileged user invoke an endpoint or action intended for admins or privileged roles. API5 in the OWASP API Security Top 10.

CC-series control

A Common Criteria control under the AICPA Trust Services Criteria. CC1–CC9 cover control environment, communication, risk, monitoring, logical access, system operations, change management, and risk mitigation. CC4.1, CC6.1, CC6.6, CC7.1, and CC4.2 are where pentest evidence most commonly lands.

CIS Benchmarks

Hardening guidelines published by the Center for Internet Security for operating systems, cloud providers, containers, and applications. Cloud pentest findings are typically mapped to the relevant CIS Benchmark.

CVE (Common Vulnerabilities and Exposures)

A standardized identifier for a publicly disclosed software vulnerability, issued by MITRE. Pentest reports cite CVEs to identify known issues in third-party software dependencies.

CVSS v3.1 (Common Vulnerability Scoring System)

A 10-point severity score used to rank vulnerabilities by exploitability and impact. Base scores can be adjusted using environmental and temporal metrics to reflect the actual risk in a specific deployment.

CWE (Common Weakness Enumeration)

A taxonomy of software-weakness categories maintained by MITRE. Where a CVE identifies a specific instance, a CWE identifies the underlying class of bug — useful for mapping multiple findings to a single root cause.

Engagement letter

The signed scope-of-work document that defines what will be tested, when, by whom, what is in and out of scope, and the rules of engagement. Always reviewed before any testing begins.

External penetration test

Testing performed from outside the customer’s network boundary — what an internet-based attacker can reach, fingerprint, and exploit. Required under PCI DSS 11.4.3 and expected under SOC 2 CC6.6.

Internal penetration test

Testing performed from inside the customer’s network — what an attacker with an initial foothold (compromised laptop, malicious insider) can reach. Required under PCI DSS 11.4.2.

OWASP ASVS (Application Security Verification Standard)

A controls catalog from OWASP that defines verification requirements for web applications across three rigor levels. Used as the methodology baseline for most web-application pentests.

OWASP Top 10

The most widely cited list of web-application security risks, refreshed every 3–4 years by OWASP. Every web pentest at minimum covers the current Top 10.

PTES (Penetration Testing Execution Standard)

A seven-phase methodology covering pre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting. A common methodology reference auditors look for in a pentest report.

Red team operation

An objective-based adversary simulation that tests not just vulnerabilities but detection and response capability. Aligned to MITRE ATT&CK. Distinct from a penetration test, which is scope-driven and findings-driven.

Retest

A targeted re-engagement that verifies whether previously reported findings have been remediated. Findings are then marked Closed, Partially Remediated, or Open. CyberGuards includes one retest in every engagement at no additional cost.

Segmentation testing

A specific class of internal testing that validates whether network or cloud segmentation actually isolates in-scope systems from out-of-scope environments. Required annually under PCI DSS 11.4.5, every six months for service providers under 11.4.6.

SOC 2 Type I vs Type II

Type I assesses whether controls are designed correctly at a point in time. Type II assesses whether they operated effectively over an examination period (typically 6–12 months). Pentest evidence supports both, but Type II audits expect it as part of the observation-period record.

System boundary

The set of systems, processes, and people in scope for a SOC 2 or ISO 27001 audit. The pentest scope should track the system boundary defined in the customer’s scope statement.

Trust Services Criteria (TSC)

The AICPA framework underlying SOC 2 audits. Comprises Security (mandatory) plus four optional categories — Availability, Confidentiality, Processing Integrity, Privacy. Pentest evidence primarily supports Security; supports Availability and Confidentiality only when explicitly scoped.

Vulnerability scan vs penetration test

A vulnerability scan is automated and finds known-signature issues. A penetration test is manual and finds business-logic, authorization, and chained-exploit issues that scanners miss. Auditors typically treat scans as supplementary evidence and pentests as primary evidence under CC7.1.