28 findings from the FY24 annual penetration test. CVSS 3.1 base + vector, OWASP / CWE mapping, exploitability rating, our remediation + retest. SLA clock per severity (critical 24h → low 90d).