Why cyber insurers are asking for penetration test reports (and what they want to see)

By
Anirudh Madhu K
Reviewed by
Adwaith Dilraj
Published on
15 Jul 2026
10 min read
APPSEC

Cyber insurance applications have started asking harder questions about security testing over the last few years.

Part of that is because insurers are dealing with higher claim volumes and more expensive incidents, especially from ransomware, account compromise, and attacks targeting internet facing applications.

For underwriters, a penetration test report is one way to verify that a company has actually tested its external attack surface instead of relying entirely on policies, questionnaires, or assumed controls. Security testing has become a much more common requirement across carriers than it used to be, though how and when it comes up varies between applications and renewals.

For companies dealing with this for the first time, the confusing part is usually understanding what kind of report insurers expect, what makes it credible, and how much testing is actually enough for the application in front of them.

What a typical cyber insurance application asks about security testing

Most cyber insurance applications don’t ask whether a company cares about security in a general sense. They ask for specific evidence that testing has actually happened.

One of the more common questions is when the last penetration test was conducted. Some insurers want testing completed within the last 12 months, others may ask for something more recent depending on the business type or what’s being insured.

From there, applications typically ask whether the testing was done internally or by a third party, what methodology or framework was followed, whether any critical or high-risk findings were identified, and what remediation steps were taken afterward.

The remediation part carries more weight than most teams expect. Underwriters are usually less concerned about whether a test found issues and more interested in whether the company addressed them properly. A report with documented fixes or accepted risk decisions tends to hold up better than a clean report with little detail behind it.

Some applications also ask for the report itself, especially for businesses with internet-facing applications, customer portals, APIs, payment systems, or cloud-hosted services.

For teams seeing these questions for the first time, the penetration test report is essentially supporting evidence for the security answers already being provided in the application.

What makes a pen test report credible to an underwriter

Most underwriters are not reading a penetration test report the way a security engineer would. They are risk assessors trying to answer a simpler question: does this company understand its exposure and take remediation seriously?

That shapes what actually matters in the report.

Third party testing carries more weight than a self-assessment because it gives the underwriter an independent view of the environment rather than an internally generated document. A report produced by the same team that built the system doesn’t give an underwriter much to work with.

The methodology needs to be named. Recognized frameworks like OWASP or scoring systems like CVSS tell the underwriter that the testing followed a structured process rather than an informal scan. The technical depth of every finding isn’t what they’re checking, they want to see that a consistent standard was applied.

Severity classification matters for the same reason. A report that clearly separates critical, high, medium, and low findings is easier to evaluate than a flat list of technical issues with no prioritization attached.

Remediation evidence is where a lot of reports fall short. If critical or high findings were identified, the report should show what was fixed, what remains open, and whether the company formally accepted any remaining risk or put compensating controls in place. An open critical finding with no explanation attached is a problem during review.

Scope clarity is the last piece. If the insurance application covers internet facing applications, customer portals, APIs, or cloud hosted systems, the tested scope should reflect those systems. A report that doesn’t match what’s described in the application raises questions that slow the underwriting process down.

What scope to test to satisfy a typical insurer

One of the more common mistakes is testing too little. The insurance application describes the business as a SaaS platform handling customer data, but the penetration test only covers the marketing website or a single login page. That mismatch tends to come up quickly during underwriting review.

For most businesses, the core application needs to be in scope. That means the primary web application or SaaS product, customer facing APIs, login flows and session handling, password reset functionality, administrative interfaces, and any customer portals.

Authentication and session management deserve particular attention because insurers are focused heavily on account compromise risk. Weak session handling, broken authorization, or exposed admin access raises concern quickly.

If the business stores customer information, payment records, employee data, or other sensitive information, the systems handling that data should be in scope too. That includes databases connected to the application, cloud storage tied to customer records, internal dashboards that expose sensitive data, and data export functionality.

Third party integrations matter where they transmit or process sensitive information. The goal isn’t to test the third-party provider’s infrastructure. It’s to test how your application interacts with those systems and whether sensitive data is exposed through the integration points. Payment processors, CRM integrations, identity providers, and external APIs connected to the application all fall into this category.

Most insurers aren’t expecting a company to test every internal system it owns. They want evidence that the externally exposed parts of the business, particularly the systems handling customer data, have actually been assessed.

How Beagle Security’s reports map to what underwriters ask for

By the time an insurer asks for a penetration test report, they want something structured enough for a risk review, not a raw export of scanner output.

Beagle Security produces audit ready penetration testing reports that align with what underwriters typically ask for. Findings are mapped against OWASP and scored using CVSS, so the severity classification matches the kind of standardized risk language underwriters expect to see. The report includes a defined scope, the testing methodology, findings with severity ratings, and remediation status for each issue.

The remediation tracking is particularly relevant here. Underwriters want to see that identified issues were addressed, not just listed. Beagle Security’s reports document whether findings are open or resolved, which gives the insurer a clear picture of the company’s response to what the test found.

For companies going through annual renewals, Beagle Security supports scheduled testing on a weekly or monthly basis, with a historical record of security improvements over time. That means when renewal comes around, there’s an updated report ready rather than a scramble to commission a new assessment.

Reports can be downloaded in PDF format and submitted directly to insurers or uploaded to compliance automation platforms. The same report also works for SOC 2, ISO 27001, PCI DSS, and HIPAA requirements if those come up alongside the insurance application.

How often do insurers expect penetration testing to be repeated?

For most cyber insurance policies, annual penetration testing is the baseline expectation, particularly for companies running internet-facing applications, SaaS platforms, or systems handling customer data.

During renewal, insurers typically ask when the last test was conducted, whether testing happens on a recurring schedule, whether previous findings were remediated, and whether major systems changed since the last assessment.

Some events trigger a requirement outside the normal renewal cycle. A significant application rewrite, cloud migration, new customer-facing platform, major API changes, or a security incident can all make a prior test report less relevant from the insurer’s perspective. An assessment from eighteen months ago carries less weight if the application architecture changed substantially since then.

It also helps to understand how insurers treat continuous scanning versus a formal penetration test report, because not all of them treat the two the same way. Scheduled scanning shows that the company monitors its environment regularly rather than testing once a year purely for compliance. But many underwriters still separately expect a structured penetration test with defined scope, methodology, findings, and remediation tracking. Regular scanning supports the insurance relationship but doesn’t always substitute for a point-in-time pen test report.

Beagle Security supports scheduled testing on a weekly or monthly basis, which means companies can maintain an updated testing record rather than commissioning a new assessment only when renewal arrives. The historical record of testing activity and remediation status that builds up over time is exactly what makes renewal conversations easier to get through.

Summing up

If a cyber insurance application or renewal is what brought you here, the requirement is straightforward even if it doesn’t feel that way at first. The insurer wants evidence that your internet-facing systems have been tested by a third party, that findings were identified and addressed, and that the process followed a recognized methodology.

Beagle Security runs automated penetration tests against your web applications and APIs, maps findings against OWASP and CVSS, and produces audit-ready reports you can submit directly to your insurer. If you’re working against a renewal deadline, you can start a 14-day free trial without a credit card and have a test running the same day.

If you want to see how the platform works before setting anything up, the interactive demo is a good place to start.

FAQs

How often do insurers expect penetration testing to be performed?

Most insurers expect penetration testing to be conducted at least annually. Additional testing may also be required after major infrastructure changes, new application deployments, cloud migrations, or significant cybersecurity incidents.

How do insurers verify penetration testing claims?

Insurers may request penetration testing reports, executive summaries, remediation documentation, or evidence of testing schedules during underwriting and renewal processes. Some carriers may also require third-party validation from qualified security providers.

Should penetration testing be performed after major system changes?

Yes. Significant application updates, network changes, cloud migrations, mergers, or new technology deployments can introduce new vulnerabilities. Insurers may expect additional testing after major changes to ensure the security posture remains effective.


Written by
Anirudh Madhu K
Anirudh Madhu K
Cyber Security Engineer
Contributor
Adwaith Dilraj
Adwaith Dilraj
Product Marketing Specialist
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 14 days