Proof of Exploit vs Proof of Concept: What's the Difference?

Q: What is the difference between proof of concept and proof of exploit?

A proof of concept demonstrates that a vulnerability could be exploited in principle. A proof of exploit demonstrates that it was exploited against the live target under controlled conditions, with captured evidence of real impact.

Q: Is a proof of concept enough for a vulnerability report?

It depends on the audience. Researchers and CVE submissions often accept a proof of concept. For remediation, a proof of exploit is far stronger because it removes the doubt about whether the issue is actually reachable and exploitable in your environment.

Q: How do you turn a proof of concept into a proof of exploit?

Run the proof of concept against the real, running target in a controlled environment and capture the evidence: the exact input sent, the response received, and the observable effect such as code execution, data returned, or a file read.

The short answer

A proof of concept (PoC) shows that a vulnerability is exploitable in principle — usually a snippet, a crafted request or a demo against a test build. A proof of exploit (PoE) shows that the vulnerability was actually triggered on the live target under controlled, authorized conditions, with captured evidence of real impact.

Put simply: a PoC argues "this is possible." A PoE demonstrates "this happened, here is the proof."

Side by side

	Proof of concept	Proof of exploit
Claim	Could be exploited	Was exploited
Target	Often a test build or theoretical	The live, running application
Evidence	A demonstration it is plausible	Request/response + observed effect
Reachability	Assumed	Confirmed
Typical use	Research, CVE write-ups	Pentest reports, remediation
Removes doubt?	Partly	Yes — it already fired

Why the distinction matters

A proof of concept is valuable for research and disclosure — it is how the world learns a class of bug exists. But handed to a developer, a PoC still leaves the hardest question open: is this real in my app, right now? Maybe the vulnerable path is unreachable. Maybe input is sanitized two layers up. Maybe the demo only works on an old version.

A proof of exploit closes that question. Because the exploit was run against the actual target and the effect was recorded, there is nothing left to argue about — only a fix to write. That is why a proof-of-exploit approach is what turns a backlog of "possible" findings into a short list of confirmed ones, and why it cuts the false-positive noise that buries real bugs.

From PoC to PoE

Turning a proof of concept into a proof of exploit means running it against the real, running target in a controlled environment and capturing three things: the exact input sent, the response received, and the observable effect — JavaScript executing, a file read, data returned. That recording is the proof of exploit.

Frequently asked questions

What is the difference between proof of concept and proof of exploit?

A proof of concept demonstrates a vulnerability could be exploited in principle. A proof of exploit demonstrates it was exploited against the live target under controlled conditions, with captured evidence of real impact.

Is a proof of concept enough for a vulnerability report?

For research or a CVE submission, often yes. For remediation, a proof of exploit is far stronger because it removes any doubt about whether the issue is actually reachable and exploitable in your environment.

How do you turn a proof of concept into a proof of exploit?

Run it against the real, running target in a controlled environment and capture the evidence — the input sent, the response received, and the observable effect.

Keep reading

Request early access