Our Policy on "Clean" Pentest Reports

Effective April 12, 2026, we don't issue "clean pentest reports"*.

*A clean report is a document that shows zero active findings after remediation. It hides what was actually discovered. It omits the vulnerabilities you fixed.

Some customers request these reports for procurement or compliance checkboxes. We've accommodated a handful of these requests in the past. We're stopping this practice. If you see any Casco-issued "clean reports" after today, please verify the authenticity of the report.

As a customer, why you should not seek "clean reports":

1. You hide your excellent accomplishment of remediating issues fast
2. It doesn't communicate the depth of testing you actually received
3. Most companies will reject them anyway

Why your vendors will reject "clean reports" anyway:

1. They are often generated by basic scanning software, not actually by a pentester
2. They know that all software have security gaps, so a report with zero findings is a red flag
3. They want to know how your team remediates security issues rather than hides them

We've written a longer post before about why "clean" reports are a red flag.

How to verify any Casco-issued reports:

1. Send the report to support+reportverification@casco.com
2. We'll reply "Verified as Casco-issued" or "Not Casco-issued"