Don’t Ask. Don’t Tell - Why Experienced SaaS Providers Don’t Share Penetration Test Reports

Occasionally, a prospective customer insists they “need” a SaaS provider’s full penetration-testing report. When told it isn’t available, they may push harder – sometimes implying that refusal signals a lack of transparency. 

In reality, asking for (or pressuring a vendor to hand over) a detailed penetration-test report is a strong indicator that the requestor is unfamiliar with modern SaaS security, multi-tenant architecture, and modern compliance frameworks. Skilled evaluators know that reputable providers cannot and should not disclose these artifacts – and that doing so would actively harm the security of every customer.

Here's why.

1. A Penetration Test Report Isn’t a Trust Badge - It’s an Attack Manual

A full penetration test report contains exploit chains, internal diagrams, escalation paths, and detailed remediation notes. Inside any mature SaaS provider, access to this material is strictly limited for a reason: in the wrong hands, it’s a roadmap for compromising the platform. Demanding the full report is like asking a bank to hand over the vault blueprints to “prove” the locks work. It signals a misunderstanding of the document’s purpose and the risk of distributing it. 

2.      Multi-Tenant Means You’re Not the Only Customer Affected

Penetration tests inevitably touch shared components used by thousands of clients, and releasing the full report can expose internal administrative and security tooling, shared infrastructure, operational processes, and even other customers’ configurations. No responsible provider will violate confidentiality or jeopardize its entire customer base to satisfy a misinformed customer request.

3.      Raw Test Artifacts Require Context That Requesters Don’t Have

Penetration-test reports are written for internal engineers, not compliance reviewers, procurement teams, or executives. They include partially validated findings, unexploited vectors, and tool output that can appear alarming without deep technical and contextual understanding. To experience technical insiders, this is expected.  To inexperienced or partially informed customers, it can look alarming. Instead of improving assurance, raw reports routinely create misunderstanding and unnecessary concern. Curates' summaries give accurate, useful insight without the noise.

4.     Broad Distribution Creates Compliance and Legal Exposure

Sharing full penetration-test reports isn’t just unwise – it often conflicts with the provider’s obligations. Broad release can:

• Violate SOC 2, ISO 27001, PCI DSS, FedRAMP and other frameworks that strongly discourage distributing raw testing artifacts.

• Breach legal and contractual obligations to other customers.

• Transfer custody of an extremely sensitive document to a requestor who may not be equipped to protect it.

• Create discoverable material for future litigation.

This is why AWS, Microsoft, Google, Salesforce, ServiceNow, and other major cloud and SaaS providers use summaries and attestations – not full reports. Insisting otherwise signals unfamiliarity with industry norms, not diligence.

5.      Experienced Customers Ask for the Right Things

Security-mature customers evaluate providers using established assurance artifacts, including:

• High-level pen-test summary or attestation

• SOC 2 Type II report summary (under NDA)

• ISO 27001 certificate

• Security questionnaire responses

• Vulnerability management and remediation cadence

• Continuous monitoring and red-team program details

• 
  

These provide meaningful assurance without compromising sensitive internal details.

The Bottom Line

When a customer demands a full penetration-testing report – or escalates the request when the provider declines – it typically reflects a lack of familiarity with how SaaS security and compliance actually work. A responsible provider will not put its platform or customers at risk. Instead, it will offer standard, accepted assurance materials used across the SaaS industry.

Experienced security teams know not to ask.

Experienced SaaS vendors know not to share.