How to know when a pen test is complete?

So this is actually a very interesting question for the industry in general. The way I would suggest you handle it is

  • Have something in your contract that disclaims liability for vulnerabilities not noted during testing. Reason for this is, it's basically impossible to be sure that you've found every exploitable issue in a website, or any other system. To pick one example, think of all the sites that were sitting vulnerable to shellshock for years and years, should all the pen test companies who touched one of those sites be liable for not telling their customers?

  • Have a methodology, saying what you will do. This should cover the general areas of testing that will be completed. For websites, consider basing on something like the OWASP Top 10 as a starting point. This gives you some common ground with the customer on what you'll be looking at.

  • Make sure your company covers the basics with a checklist. as @rapli says above document all the little things, but don't overblow the severity. Whilst it's important to make sure your test isn't just a checklist, using one can avoid embarassing mistakes where basic tests get missed.

The problem you might/will run into is unrealistic expectations from customers. that one is a case by case to address. If you get a customer that expects that their complex application will be completely reviewed in like 5 person-days of testing, well you should explain why that's not a practical concept :)


Specify in contract which security aspects you investigate and only take responsibility for those. You wont always find vulnerabilities. But I guarantee you will find few minor things, and I suggest you to include every little detail you can in the report, missing HSTS in headers, weak ciphers, etc. So they see that you did something.

There are some reporting tools I know of, but they are either not publicly available or paid products.