A pen test report contains: Executive summary (business risk), Methodology, Findings (vulnerability + evidence + CVSS + recommendation), Risk rating, and Remediation roadmap.
Two audiences: executives (want business risk context) and technical teams (need exact reproduction steps and remediation guidance). Each finding must include: evidence (screenshot/log), impact explanation, and specific remediation steps. Track findings to closure.