The penetration test report archive contains the full reports from each annual penetration test, including findings, CVSS scores, affected AISDP modules, recommended remediations, remediation records, and re-testing verification. The archive also contains the engagement briefs specifying the testing scope, the threat model entries to exercise, and the OWASP LLM Top 10 categories to cover.

For DORA-scoped entities, the archive includes TLPT reports alongside standard penetration test reports. TLPT reports that are shared with the financial supervisor are structured to serve both DORA and AI Act purposes.

The archive enables the organisation to demonstrate a continuous programme of security testing, not isolated annual exercises. Each report references the previous report’s open findings, showing the remediation trajectory. The archive is retained for the ten-year period with immutable timestamps and integrity hashes.

Key outputs

• Annual penetration test report archive
• TLPT reports where applicable
• Remediation trajectory across successive tests
• Module 9 AISDP evidence