One page. The honest distance to production, in plain language, before the detail.
Authentication, exposed keys, and data handled without a defensible reason, each rated by severity, not just listed.
What's held, where it lives, and whether it should be. Concurrency and access-control risks called out by name.
What breaks under real load, and roughly when: staging, backups, rollback path, deploy process.
Sector-appropriate: data residency, retention, and processor disclosures where they apply.
Every fix as its own module: acceptance criteria, dependencies, and a fixed price. This is the part you can hand to any developer.
A redacted real report is the honest next step here, once a client agrees to let us share one. Until then, publishing invented findings would be exactly the kind of unverifiable claim we’d fault a competitor for. Email us and we’ll walk you through an anonymised example directly, or point you to the Angkor Now case study for a sense of how we write things up.
Your own report, not a sample, with your own findings and your own module-priced spec.