What was tested (IP ranges, applications, domains) - What was not tested (explicit exclusions) - Testing approach (black/gray/white box) - Methodology followed (PTES, OWASP, etc.) - Testing dates and duration - Tools used (high-level) - Limitations and caveats