TL;DR
Penetration test reports tell you what was found — but almost nothing about what was actually tested. After years in the industry and one too many encounters with pentesters who couldn't prove their work, I built ScopeProof: a coverage data platform that captures real testing activity at the request level, so clients can verify what they paid for and pentesters can prove they delivered it.
I've spent years in cybersecurity — doing bug bounties, working as a penetration tester, and later as an Application Security Engineer. Over that time, I kept running into the same uncomfortable truth: pentest reports are built on trust, not proof.
You pay for an engagement, you get a report back. It lists findings, assigns severity ratings, and somewhere in the methodology section it says something like "testing was conducted in alignment with OWASP Top 10" or "coverage followed the PTES framework." Sounds rigorous. But if you dig in and ask, "can you actually show me what you tested?" — the best answer you're likely to get is a dump of VPN logs or a stack of raw network captures. Nobody has time to make sense of that, and most clients don't have the technical background to even try.
Most clients don't know what they don't know — and that's exactly where the trust gap lives.
The encounter that made it real
I've seen mediocre pentest work before, but one engagement pushed me over the edge. A pentester kept flagging normal application functionality as CSRF vulnerabilities. When I pushed back and asked for a proof-of-concept, I got a screenshot of a request being replayed in Burp Suite Repeater. That's it. No actual exploitation, no demonstration of impact — just a replay.
Something felt off, so I kept watching the application over the following days. Zero new objects in the UI. Nothing changed. After the engagement wrapped, I raised the concern with the firm. They pulled their VPN logs and, after going through it all, the conclusion was clear: the level of testing did not meet the standard that was promised or paid for.
Here's what scared me most — if I hadn't been a former pentester myself, I never would have caught it. A non-technical executive would have read that report, paid the invoice, and walked away thinking their application had been properly assessed. That's thousands of dollars for essentially nothing.
So I built the solution I wish existed
ScopeProof is a coverage data platform for penetration testing engagements. It captures what was actually tested — at the request level — in real time, and makes that data accessible and verifiable for both the pentester and the client.
Think of it as the trust layer between the two parties. Pentesters get a tool that automatically proves their thoroughness. Clients get a workspace where they can see exactly what was covered, mapped against the frameworks they were promised, with the receipts to back it up.
No more "we tested against OWASP" buried in an executive summary. ScopeProof shows you what percentage of your application was tested, how deeply, and with what methods — and it ties every finding back to the actual requests that uncovered it.
Pentesting shouldn't be a trust exercise. It should be a data-driven one. That's why I built ScopeProof.