Rescinded
Here is a short blog post from HackaServer that talks about writing a pentest report.

http://blog.hackaserver.com/howto-complete-a-penetration-test-report-guideline/

They also have an example report of a pentest against Metasploitable.

http://blog.hackaserver.com/howto-complete-a-penetration-test-report/

Jamie, how you gonna do the report engine?

im interested in how that is going to work.

Jamie.r This is something I've been working on for awhile. One of the directions I'm starting to shift more in favor of is using a wiki as the collection point and then populating report with data from the wiki. If you include the ability for team collaboration and a place to upload tool output and then have a way to reference within your reporting engine that has substantial value.

I'd be happy to talk to you about some of the work I've done here if you think it might be helpful. Unfortunately my mechanisms currently are pretty ugly, generate an infopath form, copy and paste into word, customize content and then convert to protected pdf. I know some consultant firms use custom spreadsheets for this and believe it or not get some pretty amazing results out of Excel. I'm moving in a similar direction as you but I think I'm going to implement as a Rails app.

What I'd really love to see here is some good collaboration tools and proper version control for the report. Also need to consider the sensitivity of the data and storage/encryption needs and how you plan to purge or dispose of the data once no longer needed.

Also, if you have not looked at http://dradisframework.org/demo.html already I highly suggest you check it out. It may already meet most of your needs.

Just checked out this sample report and it's an excellent example.... of what NOT to do. I don't have time to take the deep dive as I'm getting ready to hit the road, but an executive summary with technical terms is a poor executive summary. Nmap output and other tool output in the report is just bad. That stuff belongs in an appendix, far too much copy and paste here for my liking. I'll try to take the time to followup on this with more explicit examples and recommendations in the next day or two, but this is NOT a good report.

I didn't mean to lead anyone astray. This one from Offensive Security may be a better example:

http://www.offensive-security.com/penetration-testing-sample-report.pdf

also this paper from SANS on writing a report:

http://www.sans.org/reading_room/whitepapers/bestprac/writing-penetration-testing-report_33343

thanx great resources but u can write ur pentest report in issaf standards

Pimping my own blog at http://sentinel24.com/blog/ where I just made a post on this topic. Plan on doing some more here as I am developing a separate wiki on pentest business issues (including scoping, reporting, insurance, customer relationships, quality management, etc)

And jamie.R - yes it's the hardest and the most important. I've always heard that the report should take more time than the test itself. It's not just gathering data and writing a report, what the customer is really paying you for is analysis and interpretation of that data. As I've heard @mmurray say, they are paying you for your wisdom. (sorry if I butchered your quote Mike!  )

In Offensive Security they didnt write any info about servers like ip or port scanning result but i always did that in my reports is it wrong?