Quick Answer: Every VeilScan scan on a paid plan produces a signed, timestamped PDF report containing an executive summary, Business Impact Score, all verified findings with proof evidence, attack path diagrams, compliance mapping table, and a verification token. The PDF is designed to be shared with auditors, enterprise customers, and boards without requiring the recipient to have security expertise.
What is in a VeilScan PDF report?
The PDF report is structured in the following sections:
- Cover and metadata — scan date, domain scanned, report generation timestamp, and the verification token
- Executive summary — a plain-language overview of the scan results designed for non-technical readers. Includes the overall Business Impact Score and a 3–5 sentence description of the most significant risk areas.
- Finding list — all verified findings at every severity level, each with: affected asset, vulnerability type, severity, Business Impact Score, proof evidence or evidence description, and remediation guidance
- Attack paths — step-by-step chain diagrams for any findings that chain into breach scenarios, with the estimated business impact at the end of each path
- Compliance mapping table — each finding mapped to the applicable controls in ISO 27001:2022, SOC 2 Type II, GDPR Article 32, PCI DSS v4.0, and Cyber Essentials, with the remediation action that satisfies each control
- Verification section — the unique verification token and instructions for third parties to confirm the report's authenticity
How are VeilScan reports signed and verified?
Each PDF report is generated with a unique verification token tied to the specific scan, domain, and timestamp. This token is embedded in the report and registered in VeilScan's verification database.
Any third party can visit veilscan.net/verify/[token] to confirm:
- The report was generated by VeilScan (not self-produced or altered)
- The domain and scan date match the report
- The report content has not been modified since generation
This verification mechanism makes VeilScan reports suitable for use in contexts where the recipient needs confidence in the report's integrity without accessing your account — enterprise customer security questionnaires, auditor submissions, and investor due diligence.
How are PDF reports used for compliance evidence?
Compliance frameworks that require documented vulnerability scanning evidence accept VeilScan PDF reports as evidence of:
- A continuous vulnerability management programme (ISO 27001 A.8.8, SOC 2 CC7)
- External scanning performed at defined intervals (PCI DSS Requirement 11)
- Appropriate technical measures to ensure processing security (GDPR Article 32)
- Systematic identification and remediation of misconfigurations (Cyber Essentials)
See: Compliance Mapping feature · VeilScan for Fintech Compliance
What are the most common questions?
Are PDF reports available on the free plan?
No. PDF export requires a paid plan. The free plan provides a read-only dashboard view of Medium and Low findings. Paid plans include PDF export for all completed scans. See all plans.
How long are PDF reports stored?
PDF reports are available for download at any time while your account is active. Historical reports from all previous scans remain accessible from your dashboard. If you cancel your subscription, reports are retained in read-only mode.
Can the PDF report be customised with my company branding?
Custom branding is not currently available. VeilScan reports include the VeilScan branding alongside your company name and domain. If custom branding is important for your use case, contact hello@veilscan.net.