Attestation is the process of providing evidence that the findings detailed in the pen test report are true. In other words, by signing off on the report given to the client, you are attesting that you believe the information and conclusions in the report are authentic. Attestation is perhaps the most significant component of gaining client acceptance, as the client must believe that what you have said about their people, processes, and technology is accurate. Many organizations will not simply trust your word that a particular vulnerability exists, even if you've built yourself a good reputation over the years. You must be prepared to prove what you claim.

Proof can come in many forms, and those forms usually depend on the nature of what is being proven. For example, if you want to prove that you were able to break into a server holding sensitive data, you could present exfiltrated data to the client as proof. If you want to provide evidence of a backdoor, you could give the client a live demonstration of accessing a host using a reverse shell. If you want to prove that you were able to glean sensitive data in transmission, you could show the client packet capture files that include the plaintext data. The threshold of evidence will differ from organization to organization, and some might be content with screenshots showing compromise rather than direct demonstrations. Once again, it's important to communicate with your client to identify their needs.