How to Write a Website Security Report: Template, Structure, and Scoring
A website security report is the deliverable that bridges the gap between technical findings and business decisions. Whether you are writing for a client, for your own organization, or for a compliance audit, the same structure applies: lead with business risk, support with technical evidence, close with a prioritized remediation plan. This guide covers the complete structure, a CVSS-based scoring approach, and how to produce the data efficiently.
Scan your site in 60 seconds — it's free: ZeriFlow →
Who Reads a Security Report and What They Need
Before writing a word, understand your audience. A website security assessment report typically has two types of readers:
Executives and decision-makers (CEO, CTO, Board): They need to know the overall risk level, what it means for the business, and what it will cost (time, money, effort) to address. They do not need to know what a Strict-Transport-Security header is. They do need to know "an attacker could hijack any user session on the platform."
Technical implementers (developers, DevOps, IT): They need precise technical detail — which header is missing, what the correct value is, where to add it, and how to verify the fix.
A well-structured security report serves both audiences. The executive summary speaks to risk and business impact. The findings section speaks to technical specifics. The remediation plan bridges them.
The Structure: Seven Sections
Section 1: Cover Page and Metadata
- Report title: "Website Security Assessment — [Client/Project Name]"
- Date of assessment
- Prepared by: name, organization, contact
- Assessment scope: URLs tested, environments included/excluded
- Assessment type: automated scan, manual penetration test, or hybrid
- Report classification: Confidential (most security reports should be)
- Report version: v1.0 (reports get revised as findings are addressed)
Section 2: Executive Summary
The executive summary is the most important section. Many stakeholders will read only this section. It must:
- 1State the overall risk level in plain language: Critical / High / Medium / Low
- 2Summarize the nature of the risk in business terms (not technical terms)
- 3Call out the 2–3 most significant findings
- 4State the recommended immediate actions
- 5Provide a sense of remediation effort (days, weeks, months)
Example executive summary for a medium-risk finding:
"The security assessment of [company.com] conducted on April 25, 2026 identified a total of 14 findings across the organization's primary web presence. One finding was rated High severity: the absence of email authentication controls (DMARC) means that attackers can send emails that appear to originate from [company.com] without detection by most email providers. This represents a significant phishing and brand impersonation risk. Two findings were rated Medium severity, related to missing browser security controls. The remaining 11 findings were rated Low. Remediation of all High and Medium findings is estimated to require 4–6 developer-hours and should be completed within one sprint cycle."
Section 3: Scope and Methodology
Precisely define what was tested and what was not. This section protects you legally and sets expectations:
- In scope: Production URLs, staging environment (if applicable), specific API endpoints
- Out of scope: Internal systems, third-party integrations, mobile applications (unless specified)
- Testing period: Date range of active testing
- Tools and methods: List the tools used (e.g., ZeriFlow for configuration scanning, OWASP ZAP for application testing, manual review of authentication flows)
- Limitations: What could not be verified (authenticated areas if credentials were not provided, server-side code logic)
- Rules of engagement: Any constraints on testing (no active exploitation, testing only during off-peak hours)
Section 4: Summary of Findings
A table format works well here. One row per finding:
| ID | Title | Severity | Status |
|---|---|---|---|
| F-001 | DMARC Policy Not Configured | High | Open |
| F-002 | Missing Content-Security-Policy Header | Medium | Open |
| F-003 | HSTS max-age Below 1 Year | Medium | Open |
| F-004 | X-Content-Type-Options Header Missing | Low | Open |
| F-005 | TLS 1.1 Still Supported | Low | Open |
Follow this with a severity distribution chart or brief statement: "1 High, 2 Medium, 11 Low."
Section 5: Detailed Findings
Each finding gets its own subsection. Use a consistent format:
Finding ID: F-001
Title: DMARC Policy Not Configured
Severity: High
CVSS Score: 7.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
Affected URL: mail domain: company.com
Status: Open
Description:
The domain company.com does not have a DMARC record published in DNS.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
enables receiving mail servers to verify that emails claiming to originate
from company.com have been authorized by the domain owner.
Business Impact:
Without DMARC, any attacker can send emails that appear to come from
any @company.com address. These emails will be accepted by most mail
providers and will show no warning to recipients. This enables phishing
attacks targeting customers, partners, and employees using company.com
as the apparent sender.
Technical Evidence:
DNS query for _dmarc.company.com returns NXDOMAIN (no record found).
Screenshot: [Attach scan output showing missing record]
Remediation:
1. Publish a DMARC TXT record at _dmarc.company.com
2. Begin with p=none policy with a rua reporting address to collect data
3. After 4–6 weeks of monitoring, move to p=quarantine
4. After confirming no legitimate mail is affected, move to p=reject
Recommended Record (initial):
v=DMARC1; p=none; rua=mailto:dmarc-reports@company.com
Effort Estimate: 30 minutes (DNS change + monitoring setup)
References: RFC 7489, dmarc.orgThis structure scales from a single automated scan finding to a complex manual penetration test result. The consistent format makes reports scannable by both technical and non-technical readers.
Section 6: Risk Scoring with CVSS
CVSS (Common Vulnerability Scoring System) is the industry standard for rating vulnerability severity. Using it makes your reports comparable across engagements and defensible to auditors.
CVSS 3.1 Base Score components:
| Metric | Options | What It Captures |
|---|---|---|
| Attack Vector (AV) | Network / Adjacent / Local / Physical | How the attacker reaches the vulnerability |
| Attack Complexity (AC) | Low / High | How difficult the attack is to execute |
| Privileges Required (PR) | None / Low / High | What access the attacker needs before exploiting |
| User Interaction (UI) | None / Required | Does a victim need to do something? |
| Scope (S) | Unchanged / Changed | Does the vulnerability cross a security boundary? |
| Confidentiality (C) | None / Low / High | Impact on data confidentiality |
| Integrity (I) | None / Low / High | Impact on data integrity |
| Availability (A) | None / Low / High | Impact on availability |
CVSS score ranges:
| Score | Severity |
|---|---|
| 9.0–10.0 | Critical |
| 7.0–8.9 | High |
| 4.0–6.9 | Medium |
| 0.1–3.9 | Low |
| 0.0 | Informational |
Use the NVD CVSS Calculator to compute scores. Always include the vector string (e.g., AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) so readers can verify or adjust your scoring.
For configuration findings (missing headers, insecure cookies), apply CVSS conservatively — a missing X-Frame-Options header on a site with no sensitive forms is lower severity than the same missing header on a banking application. CVSS is a guideline, not a formula that replaces judgment.
Section 7: Remediation Plan
The remediation plan answers "what do we do now and in what order?"
Structure:
Immediate actions (within 24–48 hours): Critical findings only. Things where active exploitation is likely if not patched immediately.
Short-term (within 1 sprint / 2 weeks): High findings. Things that should be fixed before the next deployment goes out.
Medium-term (within 1–2 months): Medium findings. Important but not emergency fixes.
Backlog (next quarter): Low findings. Address in normal development cadence.
For each item, include: finding ID, what needs to be done, who owns it, estimated effort, and how to verify the fix.
Verification step: After remediation, re-run the scan that produced the original finding and attach the clean result to the report as evidence of closure. For automated configuration findings, a ZeriFlow re-scan takes 60 seconds and produces a shareable report that can be attached as closure evidence.
Using ZeriFlow as Your Data Source
For the configuration layer — TLS, security headers, cookie flags, DNS, DMARC — ZeriFlow is the most efficient way to populate a security report's finding list.
Workflow: 1. Run the ZeriFlow scan on the target URL 2. Export or screenshot the findings 3. For each flagged item, use the finding template above 4. Add business impact context that the scanner cannot provide (what does this mean for this specific client's risk profile?) 5. Append the scan screenshot as technical evidence in the findings section
The scan produces verified, reproducible evidence in 60 seconds — far faster than manual checking and less prone to the "I didn't notice it was missing" errors of manual review.
For the remediation verification step, re-run the scan after fixes and attach the before/after comparison to close findings with evidence.
FAQ
Q: How long should a security report be?
A: Long enough to cover the findings thoroughly, short enough to be read. A report for a basic website with 10–15 findings should be 8–15 pages. A full penetration test report for a complex SaaS application might run 30–50 pages. The executive summary should always be 1–2 pages maximum, regardless of report length.
Q: Should I use CVSS for every finding, including informational ones?
A: CVSS is designed for vulnerabilities with real exploitability. For informational findings (best practices not implemented, but no direct attack path), note them as "Informational" without a CVSS score. Not every observation needs to be scored as a vulnerability.
Q: How do I present findings to a client who pushes back on severity ratings?
A: Ground your ratings in CVSS vectors and reference external sources (OWASP, NVD). If a client wants to reduce a severity rating, document their rationale as a risk acceptance statement in the report. The key phrase: "The following findings have been accepted as risk by [stakeholder name, date] for the following reasons: [reason]." This protects you and creates an audit trail.
Q: What format should the report be delivered in?
A: PDF for formal client delivery (preserves formatting, harder to accidentally modify). Word/Google Doc for collaborative reports where the client needs to add status updates. Never deliver a security report as an unencrypted email attachment — use a password-protected PDF or a secure file sharing service.
Q: How do I handle a critical finding discovered mid-assessment?
A: Notify the client immediately via phone or secure channel — do not wait for the formal report. Document the verbal notification in the report. Critical findings (active exploitation risk) warrant immediate escalation outside the normal report delivery timeline.
Conclusion
A professional website security report follows a consistent structure: metadata and scope, executive summary in plain language, summary table of findings, detailed findings with CVSS scoring, and a prioritized remediation plan with verification steps. The structure is the same whether you are reporting three findings from a configuration scan or thirty from a full penetration test.
The fastest way to populate the configuration layer of any security report is an automated scan that covers TLS, headers, cookies, DNS, and email security in one pass. Use the findings as the technical evidence base, then add the business impact context that makes the report actionable.
Start your free ZeriFlow scan → — no credit card, instant results.