Vulnsy
Guide

What Is Proof of Concept? A Pentester's Guide

By Luke Turvey11 May 202619 min read
What Is Proof of Concept? A Pentester's Guide

You've found the issue. The scan flagged it, manual testing confirmed it, and the risk is obvious to you. Then the hard part starts.

The client doesn't need another paragraph saying a vulnerability is “critical”. They need to see, safely and clearly, that the flaw is real, exploitable, and worth fixing now. That's where most reports either earn trust or lose it. A weak Proof of Concept leaves room for argument. An overcooked one crosses lines it never needed to cross.

A good PoC sits in the middle. It proves impact without becoming reckless. It gives developers enough to reproduce the issue without handing over something destructive. It helps legal, engineering, and management look at the same evidence and agree on what happens next. That balance is what separates a tidy report from one that drives remediation.

Beyond the Finding The Role of a PoC in Pentesting

You confirm an issue at 4:30 p.m. The exploit works, the evidence is on screen, and the report is due tomorrow. That is usually the point where quality splits. One path leads to a screenshot and a vague severity note. The other leads to a controlled PoC that shows exactly what happened, how far it goes, and how the client can verify it without risking production.

Clients push back on findings for predictable reasons. The evidence is incomplete. The impact is overstated. The reproduction steps are messy. Or the PoC proves the bug in a way that makes legal, engineering, or operations uncomfortable. A good pentest report closes those gaps. It gives the client enough proof to act, while staying inside scope and avoiding unnecessary harm.

That reporting discipline matters as much as the technical result itself.

A PoC earns its place in a pentest because it turns a finding into evidence people can use. Developers need something they can replay. Security leads need something they can defend internally. Management needs to see that the risk is real without reading raw proxy history. In API work, for example, that often means showing one clean request, one controlled response, and one clear statement of impact, which is the same standard teams apply when securing APIs for developers.

What clients actually need from a PoC

A report-ready PoC usually has three jobs.

  • Prove exploitability in the client's environment. The issue needs to work against the target system, with the constraints that existed during the test.
  • Show the boundary of impact. Clients need to see what access was gained, what data was exposed, or what control was possible, and where you stopped.
  • Support remediation and validation. The best PoCs save time for the fix team because they can retest the patch against the same steps.

The last point gets missed often. A flashy exploit can impress another tester. It does not help much if the developer cannot reproduce it, or if the client has to guess whether the fix closed the hole.

Practical rule: Build the smallest demonstration that proves the risk and survives scrutiny in a report.

That usually means leaving out the dramatic parts. If reading one other user's record proves broken access control, there is no need to dump the whole table. If a single outbound callback proves command execution, there is no need to pull sensitive files. Clients remember restraint. It tells them the tester understands both impact and limits.

Strong PoCs also change how the report is received. Findings with clear, bounded evidence get fixed faster because fewer meetings are spent arguing over whether the issue is real, reproducible, or overstated. That is part of the job. Good pentesting is not just finding weaknesses. It is presenting proof in a form the client can act on with confidence.

Defining Proof of Concept in Cybersecurity

A client reads your finding, agrees the bug exists, then asks the question that decides whether the issue gets fixed this sprint or argued over for two more meetings: “Can you show me exactly what happened without putting us at more risk?”

That is the job of a proof of concept in pentesting.

In cybersecurity, a PoC is a controlled demonstration that shows a specific vulnerability can be triggered in the target environment and produces observable security impact. The point is not to show everything an attacker could do. The point is to produce evidence a client can trust, reproduce, and use in a report, a fix ticket, or a retest.

An infographic explaining the concept, purpose, characteristics, and importance of a Proof of Concept in cybersecurity.

A Proof of Concept in pentesting is a minimal, controlled, non-destructive demonstration that a specific vulnerability can be exploited in the client's environment, producing a verifiable security impact without going beyond agreed scope.

That definition matters because report-ready evidence has to do two things at once. It has to prove the finding is real, and it has to show professional restraint. Clients do not need theater. They need proof that stands up under review from engineers, managers, and sometimes legal teams.

The characteristics of a report-ready PoC

A PoC earns its place in the report when it is clear enough to retest and restrained enough to run safely.

  • Minimal. It uses the least intrusive method that still proves exploitability.
  • Reproducible. Another tester or the client's fix team can follow the same steps and reach the same result.
  • Scoped. It stays within the authorised asset, account, dataset, and technique for the engagement.
  • Safe. It avoids unnecessary data access, persistence, destructive actions, or service interruption.

You can see the same emphasis in official UK guidance on proof-of-concept code from the National Cyber Security Centre, which focuses on controlled demonstration and safe handling of exploit code: NCSC guidance on proof-of-concept code.

What validation looks like in practice

Good PoCs are usually small.

For XSS, a harmless alert(1) or a visible DOM change is often enough. For SQL injection, a boolean difference, controlled error, or database version string usually proves the point. For broken access control, reading one test record outside your account shows impact without exposing a full customer dataset.

The trade-off is judgment. Weak evidence creates doubt. Overbuilt evidence creates risk, noise, and avoidable clean-up.

That matters even more in API assessments. Teams working on securing APIs for developers usually benefit from the shortest request sequence that proves broken authorization, object access, or trust boundary failure. The cleanest PoC often looks less dramatic than the bug bounty write-up, but it is far more useful in a client report.

It also helps to separate PoCs from automated discovery. A vulnerability scanning process can flag likely issues, but a PoC confirms that one specific issue is exploitable under real conditions.

What a PoC is not

A PoC does not need lateral movement, persistence, privilege maintenance, or a full attack chain unless the engagement specifically asks for that level of testing.

It needs a clean causal record:

  1. the vulnerable condition exists,
  2. the tester performs a defined action,
  3. the observed result proves impact.

That is why the best PoCs are usually plain to watch and hard to dispute.

PoC vs Exploit vs Vulnerability Scan

Confusion usually starts when people use the same words for three very different things. A vulnerability scan discovers candidates. A PoC validates one finding. A full exploit pushes much further. If you blur those boundaries, clients start expecting offensive depth where only validation was agreed, or they mistake scan output for confirmed risk.

Here's the simplest way to separate them.

Comparison of Security Assessment Artifacts

Term Primary Purpose Typical Output Analogy
PoC Validate that a specific vulnerability is exploitable in a controlled way Safe script, request sequence, screenshot, terminal output, or short video showing cause and effect A key that proves one lock opens
Exploit Gain deeper access, stronger impact, or chained compromise beyond simple validation Weaponised code, shell access, lateral movement steps, persistence methods A full break-in kit
Vulnerability scan Identify possible weaknesses for review and triage Automated list of potential issues, severities, banners, versions, and misconfigurations A metal detector that flags where to dig

Why the distinction matters in client conversations

A scan says, “this might be vulnerable”. A PoC says, “this is vulnerable, and here is the evidence”. An exploit says, “this can be taken much further”.

That difference affects scope, risk, and reporting language. If you write “exploited” when you really mean “validated”, some clients will assume you went further than authorised. If you present a scanner finding like a confirmed issue, engineering teams will challenge it. Using the right term saves time and avoids defensive conversations.

For teams that need a quick reference point, this overview of vulnerability scanning terminology is useful because it keeps discovery separate from validation.

When to use each one

Use a vulnerability scan early to build coverage and spot likely weaknesses. Use a PoC once manual testing confirms the issue and you need evidence that belongs in the report. Use a deeper exploit only when the rules of engagement explicitly allow it and the extra impact is necessary to answer the client's objectives.

Clients usually don't need maximum compromise. They need credible proof, clear boundaries, and a fix path.

That's why the PoC is the most important reporting artefact of the three. It's the point where technical testing becomes actionable evidence.

The Ethical and Legal Line for Proof of Concepts

You are midway through a test. A single request has already proved the issue. One more step would pull live customer data, drop a web shell, or show full account takeover on camera for the client. That is the moment that separates a disciplined PoC from a liability.

Most weak PoCs are not weak because the tester missed the bug. They are weak because the tester lost sight of the job. The client needs evidence they can trust, a report they can act on, and no mess to clean up afterward.

A balancing scale with a green ethical sphere and a blue legal sphere, representing the concept of ethical boundaries.

Minimum impact, maximum proof

A report-ready PoC shows the smallest action that proves the security claim beyond reasonable doubt. That standard saves time, reduces risk, and gives the client cleaner evidence.

In practice, that usually means keeping the demonstration controlled:

  • SQL injection. Confirm control of the query with version output, boolean differences, timing behaviour, or access to a seeded record. Do not dump production tables just because you can.
  • IDOR. Show access to a test object, your own second account, or a low-sensitivity record created for validation. Do not enumerate real customer data.
  • RCE. Run a harmless command that returns host or process context. Do not establish persistence, alter files, or pivot unless the engagement explicitly authorises it.
  • Stored XSS. Prove script execution with a benign payload in the affected context. Do not capture sessions, exfiltrate tokens, or interfere with user actions.

That restraint is not caution for its own sake. It makes the finding easier to defend in the report. Clients can see exactly what was proved, what was not attempted, and where the testing stopped.

Why the line is legal as well as ethical

Authorisation is the boundary that matters. A finding can be technically valid and still become a legal problem if the PoC goes beyond agreed scope, touches prohibited data, or causes avoidable harm.

In the UK, that risk sits alongside the Computer Misuse Act 1990. The practical lesson for testers is simple. Scope, method, and evidence all need to match the signed rules of engagement. If the document allows validation of code execution but says nothing about persistence, lateral movement, or production data access, stop at validation and ask for written approval before increasing impact.

The same discipline matters after the test. Clear evidence, timestamps, request and response pairs, and documented stopping points make the work defensible if a client later asks what was accessed or why a particular action was taken. The same logic underpins responsible disclosure practices, where proving the issue and limiting harm matter as much as finding it.

Rules of engagement should answer the hard questions early

The cleanest PoCs are usually decided before testing starts. Good rules of engagement remove guesswork from the moment when a tester finds a path to greater impact.

They should define:

  • Exact scope. Hosts, applications, APIs, user roles, data sets, and environments that are in or out of bounds.
  • Permitted proof level. Whether the client wants validation only, limited exploitation, or deeper impact for specific objectives.
  • Prohibited actions. Data exfiltration, bulk extraction, destructive commands, denial of service conditions, persistence, social engineering, or third-party pivoting.
  • Escalation points. The exact situations where the tester must pause and get written approval before proceeding.
  • Evidence handling. How to capture screenshots, logs, and sample data without retaining unnecessary sensitive information.

I have found that many client disputes start with vague wording, not bad testing. "Demonstrate impact" is too loose. "Prove read access to one non-sensitive record from a second test account" is workable.

A PoC should give the client confidence in the finding, not a second incident to manage.

That is the dividing line. A good PoC proves enough to support remediation, preserves trust, and stays inside the authority you were given.

How to Create a Reproducible Pentest PoC

A tester has the bug, the client has the report, and engineering still cannot repeat the issue without a meeting. That is a weak PoC.

A reproducible pentest PoC is a controlled proof package. It shows the minimum steps needed to confirm the finding, the exact conditions that make it work, and enough evidence for a reviewer to trust the result. Good PoCs save remediation time. Bad ones create back-and-forth, scope disputes, and retest delays.

A person in a green hoodie typing code on a laptop while analyzing handwritten flowcharts on paper.

Identify the exact security claim

Write the finding as a statement you can prove with one workflow.

Use language like “an authenticated user can read another user's invoice by changing the object identifier” or “stored input executes JavaScript in the admin review panel.” That wording forces precision. It also tells you what evidence matters and what can be cut.

If the claim includes three separate behaviors, split them. A PoC that tries to prove access control failure, privilege escalation, and data extraction in one chain usually becomes harder to rerun and harder to defend in review.

Isolate the smallest trigger

The best PoCs remove noise early. Capture the normal flow in Burp Suite or another proxy, then reduce it until only the required action remains.

A practical method:

  1. Record the valid request path.
  2. Change one input at a time.
  3. Remove headers, parameters, and UI steps that do not affect the result.
  4. Repeat until you can explain the trigger in one or two sentences.

Experience saves time in this context. Many testers keep decorative steps because they discovered the issue through a long path. The client does not need the discovery story. The client needs the shortest reliable path to verification.

For XSS, that may be one field with a harmless payload. For IDOR, it may be a single identifier swap between two controlled accounts. For broken API authorization, it may be one replayed request under the wrong user context.

Demonstrate impact at the right proof level

Show enough impact to remove doubt, then stop.

That line matters in pentesting because the cleanest PoC is rarely the most dramatic one. A popup is often enough for XSS. One test record is enough for IDOR. A callback to an approved endpoint is enough for SSRF. Uploading a benign file that executes in the wrong context is often enough for file upload issues.

I treat every extra action as something that must justify its risk. If the same finding can be proven by reading one seeded record instead of touching production data, use the seeded record. If a screenshot proves code execution in a constrained test directory, there is no reason to pivot further.

A PoC should survive legal review, technical review, and client scrutiny. Theatre fails all three.

Document it so another person can rerun it

If engineering cannot reproduce the issue from your notes, the PoC is incomplete. Report-ready evidence needs enough context to work outside your testing session.

Include:

  • Preconditions. User role, account state, feature flag, endpoint, browser, token type, or test data.
  • Exact steps. Short numbered actions with the modified values called out clearly.
  • Proof artefacts. Request and response pairs, terminal output, screenshots, or a short script.
  • Expected result. One sentence describing what confirms the issue.
  • Safety guardrails. Limits on records, payloads, destinations, or commands during reproduction.

The format matters too. A clean evidence block with one request, one response, and one caption beats a page of raw proxy history. If your team wants a repeatable structure for that, use a pentest report template that includes dedicated PoC evidence fields.

Keep the artefact clean enough for the report

A reproducible PoC should be easy to scan under pressure. Trim screenshots to the proof. Redact secrets you do not need. Keep scripts short. Label modified parameters. If there is a timing dependency, say so. If the issue only appears with a stale token, unusual role mapping, or specific browser behavior, state it plainly.

The goal is simple. A developer, reviewer, or retester should be able to pick up the finding and confirm it without guessing what you meant.

That is what good PoC work looks like in practice. Precise, restrained, and ready to stand on its own in the final report.

Embedding PoCs in Reports for Maximum Impact

A finding can be technically solid and still land badly with the client. It happens when the PoC is buried in screenshots, split across appendices, or pasted into the report without enough structure to survive review. The issue is no longer whether the bug is real. The issue is whether the client can understand it quickly, assign it to the right team, and retest it without booking another call.

Screenshot from https://example.com/vulnsy-poc-embedding-ui

What effective report embedding looks like

The best report pages keep the PoC attached to the claim it proves. A reviewer should not have to hunt through raw proxy history, image dumps, or chat logs to piece the story together. Good embedding makes the finding readable under time pressure and defensible during QA, client review, and retest.

That usually means four parts presented together:

  • A plain-English statement of impact so the reader knows what the evidence is proving.
  • A tight evidence block with the exact request, response, script output, or screenshot that confirms the issue.
  • A short reproduction path that mirrors the evidence without forcing engineering to reverse-engineer your steps.
  • A remediation and retest note that tells the client what to fix and what result should disappear after the fix.

The trade-off is straightforward. Dumping every artefact into the report feels safer because nothing is omitted, but it slows review and hides the proof. Over-editing has the opposite problem. It produces a neat page that no longer stands up to scrutiny. Report-ready PoCs sit in the middle. They are trimmed, labelled, and still technically complete.

The reporting problems that waste time

Manual reporting breaks in predictable ways, especially on larger engagements with multiple testers and repeated finding types.

  • Evidence drift. A screenshot, request, or script ends up attached to the wrong finding version.
  • Inconsistent formatting. Each consultant documents PoCs differently, which creates avoidable QA comments.
  • Weak traceability. Reviewers can see the artefact but cannot tell which action triggered it.
  • Repeat rework. The same cleanup gets done during drafting, internal review, and final export.

Those problems are not cosmetic. They affect whether a client trusts the report. If a privileged action is shown in a screenshot but the triggering request is missing, the client has to ask follow-up questions before assigning the issue. If the evidence is hard to map to the finding, retesting takes longer and disputes are more likely.

A structured reporting workflow fixes a lot of that. Keep evidence fields tied to the finding record. Standardise how requests, responses, and screenshots are captioned. Use templates that force the same order every time: impact, proof, reproduction, fix, retest. If your team is still building that structure by hand, this pen testing report template with dedicated evidence sections is a practical reference.

What clients actually respond to

Clients rarely need more drama. They need enough proof to act with confidence.

The report should let an engineering lead answer three questions fast: what happened, why it matters, and how to confirm the fix. That is the standard that turns a PoC into a useful deliverable. In practice, that means cleaner captions, fewer redundant screenshots, and evidence ordered around the client decision you need to support.

A well-embedded PoC also shows restraint. It proves impact without turning the report into a trophy case of payloads or post-exploitation screenshots. That matters ethically as much as it matters operationally. The client hired a pentest to reduce uncertainty, not to receive a bundle of loosely organised artefacts.

Clear PoC embedding is part of the test itself. If the report makes the evidence easy to review, reproduce, and retest, the PoC has done its job.

From Proof to Action A PoC Is Just the Beginning

A PoC isn't the end of the story. It's the point where the story becomes useful.

Too many testers treat the PoC like a final reveal. They proved the flaw, captured the screenshot, and moved on. But clients don't buy pentests for dramatic endings. They buy them to reduce risk. If the PoC doesn't help them reproduce, prioritise, and fix the issue, it hasn't done enough.

The standard to aim for is straightforward. A good PoC is clear, so nobody has to guess what happened. It is safe, so the evidence doesn't create fresh problems. It is reproducible, so engineering can verify both the issue and the fix. And it is presented well, so the report supports action instead of slowing it down.

That mindset changes the role of the tester. You're not just identifying weaknesses. You're giving the client a controlled path from finding to remediation. That's more valuable than a longer payload list or a louder demo.

The next time you confirm a vulnerability, stop before you build the flashiest possible demonstration. Build the smallest one that proves the point and survives scrutiny. That's usually the PoC the client needed all along.

If you want to spend less time wrestling with formatting and more time producing clean, report-ready evidence, Vulnsy gives pentesters a practical way to document findings, attach PoCs, and generate professional deliverables without the usual copy-paste grind.

what is proof of conceptpenetration testingpentest reportvulnerability assessmentcybersecurity
Share:
LT

Written by

Luke Turvey

Security professional at Vulnsy, focused on helping penetration testers deliver better reports with less effort.

Related Articles

Reduce Mean Time to Resolution for Security Incidents
Guide

Reduce Mean Time to Resolution for Security Incidents

Master Mean Time to Resolution (MTTR). Learn what it is, how to calculate it, & proven strategies to reduce it for security incidents. A UK guide.

15 min read18 May 2026
Security Reporting Software Buyer's Guide
Guide

Security Reporting Software Buyer's Guide

Ditch manual reports. Our guide to security reporting software explains features, ROI, and evaluation criteria for pentesters and MSSPs.

15 min read17 May 2026
OWASP Testing Guide: A Practical Pentester's Handbook
Guide

OWASP Testing Guide: A Practical Pentester's Handbook

Master the OWASP Testing Guide. Our practical handbook covers its structure, test categories, and how to use it for efficient pentesting and reporting.

20 min read16 May 2026

Ready to streamline your pentest reporting?

Start your 14-day trial today and see why security teams love Vulnsy.

Start Your Trial — $13

Full access to all features. Cancel anytime.