We talked to security teams at dozens of mid-market SaaS companies recently. The pattern kept surfacing: engineers who found and fixed the vulnerabilities were the same people writing the remediation documentation—often until 2am, often during the same two-week window when auditors wanted responses.
One Reddit user described it plainly: “We got our pen test back and it’s 47 pages of vulnerabilities. My team is 3 engineers. We have no idea what to prioritize and our auditor wants responses within 2 weeks. I’ve been writing remediation plans until 2am every night this week.”
This isn’t a skills gap. The engineers know exactly what’s wrong and exactly how to fix it. The problem is documentation. Auditors who weren’t present during the pen test need structured narratives: compensating control explanations, remediation timelines, status update templates. A security engineer fixing a critical SQL injection vulnerability is not the right person to also write a five-paragraph explanation for a compliance reviewer.
The Numbers Don’t Lie
The market reflects the problem. Job postings for Security Compliance Analysts—roles whose primary function is writing pen test remediation documentation—routinely list $95,000 to $120,000 salaries. Companies are paying six figures for a job that, at its core, is converting a technical pen test report into auditor language.
Meanwhile, pen test consultancies charge $15,000 or more for consultant-written remediation plans. For companies undergoing annual pen tests for SOC2, ISO 27001, or customer security reviews, that’s a recurring cost with no leverage.
What’s Changed
Two regulatory shifts are accelerating the problem. The EU AI Act and updated SEC cybersecurity disclosure rules are driving a 40% year-over-year increase in mandatory pen test requirements for mid-market SaaS. More companies need more documentation, more often, for more auditors. The documentation bottleneck didn’t exist at this scale two years ago.
At the same time, LLMs have matured enough to solve it. A model can ingest a 50-page pen test PDF, extract CVSS scores, cross-reference findings against MITRE ATT&CK, and output a structured remediation plan in minutes. The same plan that takes an engineer the better part of a week to write.
We’re Not Replacing Security Judgment
We built PenTestResponse AI because we lived this problem ourselves. We know the difference between fixing a vulnerability and documenting it for an auditor who wasn’t there. Our tool handles the documentation. Engineers handle the security.
If that split makes sense for your team, we’d rather show you a sample report than give you another slide deck. Reach out and we’ll walk through your actual pen test data—no fictional demo environments, no staged screenshots.