Letters of Attestation
Publish externally-verifiable proof that your app has been pentested
What is a Letter of Attestation?
A Letter of Attestation is a one-page, cryptographically-signed PDF that proves a specific application was penetration-tested by ModernPentest during a specific time period. It's designed for one purpose: sharing proof with people outside your organization — prospects, customers, auditors, partners.
It is intentionally short and prospect-friendly. For full compliance documentation, generate a SOC 2 report or ISO 27001 report instead.
Think of it as the security-team equivalent of a Stripe receipt: concise, professional, verifiable by anyone with the link.
When to use which artifact
| Need | Use |
|---|---|
| Prospect asks "have you been pentested?" | Letter of Attestation |
| Auditor asks for SOC 2 / ISO 27001 evidence | Compliance Report (SOC 2 or ISO 27001) |
| Security questionnaire with specific CIA | Compliance Report |
| Trust page on your marketing site | Letter of Attestation (public + embed) |
| RFP requires "pentest letter" | Letter of Attestation |
| Prospect wants a short SOC 2-flavored proof | Letter of Attestation + SOC 2 framework tag |
| Prospect wants a short ISO 27001-flavored proof | Letter of Attestation + ISO 27001 framework tag |
Compliance framework tagging
Attestations can optionally reference a compliance framework. This adds framework-specific evidence language and badge styling, so a customer reviewing your attestation sees the relationship to SOC 2 or ISO 27001 at a glance.
| Framework | Controls referenced | Badge label |
|---|---|---|
| None | (generic pentest statement) | Pentested |
| SOC 2 | CC4.1 (Ongoing Monitoring), CC7.1 (Security Operations) | SOC 2 Pentested |
| ISO 27001 | A.8.8, A.8.29, A.5.35 | ISO 27001 Pentested |
A framework-tagged attestation does not replace the full Compliance Report. It's a short public-facing proof with framework-aware copy, intended for prospects and trust portal visitors. Auditors should still review the full report.
The framework tag is part of the cryptographically-hashed payload — changing the declared framework after issuance invalidates verification. If you need to switch frameworks, generate a new attestation.
How to generate one
1. Complete a pentest
Letters of Attestation can only be generated from scans in a terminal state
(completed or completed_with_errors). If you have no eligible scans, run a
pentest first from the Pentests dashboard.
2. Create the attestation
From the Attestations dashboard, click "New Attestation" and select your completed scan. You can also deep-link directly from the scan detail page via the "Generate Attestation" button.
3. Choose a redaction profile
Three profiles control how much detail appears on the public version:
Minimal
- Organization name, application name, test period
- "No critical or high outstanding" statement (when true)
- Hidden: severity counts, methodology details, vulnerability types
Best for conservative sharing where you only need to prove testing occurred.
Standard (recommended default)
- Everything in Minimal
- Severity breakdown (open vs remediated, with hover explanations)
- Surfaces tested, agent methodology
- Scan duration, OWASP coverage
Best for most customer-facing sharing.
Detailed
- Everything in Standard
- Vulnerability types by category (CWE/OWASP)
- Remediation timeline summary (median time-to-fix)
- Validator verification stats
Best for security-conscious prospects or internal auditors.
All profiles always omit endpoints, payloads, parameter names, request/response bodies, evidence URLs, and user IDs. There is no redaction level that exposes these.
4. Choose visibility
- Private — dashboard only. Download the PDF and share it manually.
- Unlisted — anyone with the link can view the public page. Not listed on your org's trust portal.
- Public — listed on
/trust/[your-org-slug]as part of your org's trust portal.
Publishing is available on paid plans only.
5. Generate and share
After submission, the PDF renders in the background (usually within seconds). From the attestation detail page you can:
- Copy link — one-click copy of the public URL
- Share via email — pre-composed email with link and explanation
- Download PDF — for attaching to RFPs or sharing manually
- Publish / Make private — toggle visibility
- Revoke — permanent revocation with optional reason
- Embed on your website — copy ready-to-paste badge or card snippets (full embedding guide)
Outstanding findings — should I wait?
ModernPentest lets you generate an attestation regardless of open findings. If your scan has outstanding critical or high-severity issues, the generation flow will show a warning: most customers wait until remediation is complete before publishing.
The redaction profile controls what gets shown. If you generate an attestation with open criticals but use the minimal profile, the public page won't mention them — it will only show dates and a pentest-performed statement. This is honest (the pentest did happen) without misrepresenting the security posture.
Our recommendation: for public attestations, wait until you have zero critical/high outstanding so the "no critical or high outstanding" statement appears on the letter.
Reading the severity grid
When the public attestation is on the Standard or Detailed profile and there are findings to show, each severity row displays two numbers:
Critical 7 / 0
High 2 / 1
Medium 0 / 4
Low 0 / 6
Info 0 / 12These are Open / Remediated — that is, open findings still outstanding at
the time the attestation was issued, and findings remediated during the
test period (found, fixed, and re-validated by ModernPentest).
Hover any severity row on the public attestation page for a tooltip with the same explanation.
Verification
Every attestation includes a SHA-256 content hash printed in the PDF
footer. Anyone can verify authenticity at
/trust/verify by pasting either:
- The Attestation ID (22 characters, printed on the PDF)
- The full content hash (starts with
sha256:)
The hash is computed over a canonical JSON representation of exactly what's published. If a malicious party tampered with the PDF, the hash won't match and verification will fail.
What verification proves
A successful verification proves three things:
- ModernPentest issued this attestation — we have the hash in our database
- It has not been tampered with — the hash matches the canonical payload
- It is still valid — not revoked, not expired
What verification does not prove
- That the underlying application is still secure today
- That no new vulnerabilities have been introduced since the scan
- That manual penetration testing (social engineering, physical security) was performed
Attestations have an expiry date (default 1 year) to enforce this distinction.
Embedding on your website
Paid plans unlock embeddable widgets for putting verified-pentest signals on your marketing site, README, or trust page:
- Pill badge (220×48) — a compact pill with the ModernPentest mark and a green check, intended for footers, hero sections, and trust strips
- Attestation card (360×240) — a full card with org name, status pill, outcome banner, and severity grid
- Markdown badge — a static image variant suited for
READMEfiles
Copy ready-to-paste snippets from the attestation detail page (Embed on your website section), or read the full integration guide:
Tier limits
| Tier | Attestations/month | Public portal | Embeds |
|---|---|---|---|
| Free | Not available | — | — |
| Starter | 1 | ✓ | Badge only |
| Professional | 5 | ✓ | Badge + card |
| Enterprise | 30 | ✓ | Badge + card |
| Custom | Unlimited | ✓ | Badge + card |
Revocation and expiry
Expiry
Attestations expire 1 year from generation by default. After expiry:
- The public portal page shows an "expired" notice
- The PDF remains downloadable (honesty — the document itself is still a historical record) but is marked as expired
- Embedded badges display "Last verified" instead of the green check
- Embedded cards show an amber "Expired" pill
You'll receive email reminders 30 days, 7 days, and 1 day before expiry.
Revocation
If you publish an attestation in error or need to invalidate a prior one (e.g., you discovered a false negative), you can permanently revoke it from the detail page. After revocation:
- The public page shows a "revoked" notice with your reason (if provided)
- Any embedded badges immediately show "Revoked" with red styling
- The action is irreversible — generate a new attestation instead
FAQ
Can I customize the PDF template?
Not yet. The template is standardized to make verification easier — a consistent format means prospects can recognize a genuine ModernPentest attestation at a glance. Custom logos and cover text are on the roadmap.
What if my scan found vulnerabilities?
You can still generate an attestation. Use the minimal redaction profile to show only that a pentest was performed, without listing severity counts. Or wait until you've remediated the findings and generate a fresh attestation then.
Can multiple apps be on one attestation?
Not yet — one scan per attestation in the current release. Multi-app and rolling-period (quarterly/annual) attestations are on the roadmap.
Does this replace a manual pentest?
No. Letters of Attestation from ModernPentest reflect automated penetration testing. They don't cover manual social engineering or physical security. The attestation itself includes this disclaimer so readers aren't misled.
For compliance frameworks that require manual testing (e.g., PCI-DSS, some interpretations of SOC 2), this attestation is complementary — it doesn't replace a manual firm's letter.
Last updated: April 28, 2026