What Is a Letter of Attestation, and Why Does Your Business Need One?

You are closing a deal with an enterprise client. The procurement team sends over a security questionnaire and buried in the list of requirements is a request for a Letter of Attestation for your penetration test. Maybe you have seen this before. Maybe it is the first time. Either way, you need to know what it is, what it should say and how to get one without holding up the deal. 

We’ll break it down in plain terms. 

What Is a Letter of Attestation? 

A Letter of Attestation (LoA) is a formal document issued by an independent cybersecurity firm confirming that a security control has been pursued and typically it demonstrates proof that a professional penetration test was conducted on your systems. It is written for external audiences including the client reviewing your vendor application, the auditor checking your compliance posture and the insurer evaluating your risk profile. 

It confirms that a qualified third party tested your systems, what standards governed that testing and that findings were addressed. The full technical report stays internal. The LoA is what you share externally. 

Who Is Asking for This? 

• Enterprise clients vetting vendors before signing contracts. 

• Healthcare and financial sector partners requiring compliance proof. 

• SOC 2, ISO 27001 and several other audit frameworks. 

• Government contractors and procurement offices. 

• Cyber insurers assessing risk before issuing or renewing a policy. 

What a Letter of Attestation Includes 

If someone is asking you for an LoA for a penetration test, here is what a legitimate one contains. This is also useful to know when evaluating whether what you have already received from a testing firm is complete: 

• Final Statement: A formal declaration that penetration testing was performed by a qualified third party. 

• Scope of Testing: The scope of what was tested, including systems, applications, and networks covered. 

• Methodology: The methodology used, such as OWASP Top 10, NIST SP 800-115, or PTES. 

• Finding Summary: Depending on the purpose (for example if requested by an auditor), a high-level summary of findings categorized by severity: Critical, High, Medium, and Low. 

• Remediation Confirmation: Confirmation that critical and high findings were remediated prior to issuance. 

• Signature and Firm Credentials: A formal signature from the testing firm, establishing accountability. 

Why There Is No Letter Grade 

A question that comes up frequently is “Why does an LoA not just give a score or a grade?” If a penetration test was performed, why not summarize it as a B+ or an 87 out of 100 and call it a day? 

The short answer is that a grade would actually make the document less useful and more dangerous. Here is why. 

A Grade Does Not Reflect What Was Actually Tested 

Every penetration test is bound by time and agreed-upon scope. A three-day test of one application looks the same on a graded scale as a three-week test of your full infrastructure. The grade removes that context, and without context, it is misleading to anyone reading it. 

A Grade Can Create Problems for You 

If your LoA shows a B+ and a breach occurs later, that grade becomes a liability. Stakeholders may point to it as evidence that you represented your security as stronger than it was. A penetration test is a point-in-time assessment and framing it as a score implies something closer to a certification, which it is not. 

The Industry Measures Risk by Severity, Not Score 

Security findings are categorized as Critical, High, Medium or Low based on how exploitable they are and what the business impact would be. That framework is precise and consistent. A Remote Code Execution vulnerability is Critical regardless of who assesses it. A grade introduces subjectivity where there should not be any. 

The LoA and the Technical Report Serve Different Purposes 

The LoA is a clean external document. The technical report is the detailed internal record. Putting a grade on the LoA blurs that line and risks surfacing internal details in a document that was never meant to carry them. 

Your clients and auditors are not looking for a score. They want confirmation that real testing happened and that problems were fixed. A well-written LoA does that more clearly than any grade could. 

When Should You Get One? 

Any time a client, auditor, or insurer needs proof that security testing happened, an LoA is what they are asking for. The most common triggers: 

• A client or prospect requires security documentation as part of vendor onboarding. 

• You are pursuing SOC 2, ISO 27001, or a similar compliance certification. 

• A past security incident requires documented proof of remediation. 

• Company leadership / board requires one each year.  

How Guard Street Can Help 

If a client or partner is asking for a Letter of Attestation and you are not sure where to start, or if you want to make sure your security program is documented in a way that holds up to real scrutiny, Guard Street can help. 

Visit www.guardstreet.com/connect to discuss what your business needs and how to get there.