6 elements that every penetration test report must have
Customer pays for the report, not for pentest. Here are the 6 important items that must be present in every penetration test report. Have a read.
Important disclaimer - it is very important that you vet the report template with the customer before you start the engagement. It is important so that they can suggest any changes ahead of the chaos.
So here are the most important elements of a pentest report, in that order,
Introduction
- What is this document
- How to read this report
Executive summary
- you get two types of customers in every engagement. One who implements your recommendation, and another one who pays for the pentest. This summary is for the one who pays. Make it count.
- kill chain/ attack-narrative Infographic, key risks, impact, high level recommendations, potential timelines (if possible).
- Leaders want to know the key risks and the exposure (e.g., potential fine from regulator, reputation risk, risk of non-compliance, etc.).
- with each key risk, link all different vulnerabilities that are part of that risk
- No details, but lot of references to locations (in the current report) where the finding is detailed.
- It will be better if this part of report is printed and hand-delivered to the customer.
Table of Findings
usual suspects to go here (#, ID, title, small description with impact, risk rating, reference to the location in current document)
Detailed Findings
Some ppl include attack narratives here, others add one table per finding, divided by severity/ risk levels. At the minimum, each finding should have the following fields
- finding ID (also see 'table of findings' above).
- severity/ risk
- finding title (should combine vulnerability and impact)
- finding details (should explain vulnerability, impact, and justification for severity/ risk rating)
- remediation
Scope, Methodology
why is this at the end?
- Becoz it doesn’t matter much, at least for the report. It is discussed, agreed upon, and approved much prior to the report. It is kept in report for record purposes and for the first type of customer (refer executive summary).
- Sure, someone may want to check the coverage. However, overall, the most important items for customer are already described above.
Other relevant Annexure
- Output from automated tools like Nessus, nmap, burp suite, sqlmap, etc.
- Criteria for severity/ risk ratings (why a vulnerability/ risk is 'high', 'medium', or 'low', etc.)
Some elements that I have not included here, but are assumed to be present, are: -
- Cover page, logo,
- document title, client name (name, email ID of the point of contact)
- document control (who created/ when, who approved/ when, change tracker)
- vendor contact details
- table of content
Additional Guidance
At the intersection of pentest, auditing, risk management and career advice. Musings based on real experiences, not theory. All infosec, mashed up.
Follow the Risky Context channel on WhatsApp (if WhatsApp is your thing. Your number is not shared with others when you connect to my channel): https://whatsapp.com/channel/0029VaDqrFU8aKvQohD5nq0r