6 elements that every penetration test report must have

Customer pays for the report, not for pentest. Here are the 6 important items that must be present in every penetration test report. Have a read.

6 elements that every penetration test report must have
Photo by Annie Spratt / Unsplash

Important disclaimer - it is very important that you vet the report template with the customer before you start the engagement. It is important so that they can suggest any changes ahead of the chaos.

So here are the most important elements of a pentest report, in that order,


    1. What is this document
    2. How to read this report

Executive summary

    1. you get two types of customers in every engagement. One who implements your recommendation, and another one who pays for the pentest. This summary is for the one who pays. Make it count.
    2. kill chain/ attack-narrative Infographic, key risks, impact, high level recommendations, potential timelines (if possible).
    3. Leaders want to know the key risks and the exposure (e.g., potential fine from regulator, reputation risk, risk of non-compliance, etc.).
    4. with each key risk, link all different vulnerabilities that are part of that risk
    5. No details, but lot of references to locations (in the current report) where the finding is detailed.
    6. It will be better if this part of printed and hand-delivered to the customer.

Table of Findings

usual suspects to go here (#, ID, title, small description with impact, risk rating, reference to the location in current document)

Detailed Findings

Some ppl include attack narratives here, others add one table per finding, divided by severity/ risk levels. At the minimum, each finding should have the following fields

    1. finding ID (also see 'table of findings' above).
    2. severity/ risk
    3. finding title (should combine vulnerability and impact)
    4. finding details (should explain vulnerability, impact, and justification for severity/ risk rating)
    5. remediation

Scope, Methodology

why is this at the end?

    1. Becoz it doesn’t matter much, at least for the report. It is discussed, agreed upon, and approved much prior to the report. It is kept in report for record purposes and for the first type of customer (refer executive summary).
    2. Sure, someone may want to check the coverage. However, overall, the most important items for customer are already described above.

Other relevant Annexure

  1. Output from automated tools like Nessus, nmap, burp suite, sqlmap, etc.
  2. Criteria for severity/ risk ratings (why a vulnerability/ risk is 'high', 'medium', or 'low', etc.)

Some elements that I have not included here, but are assumed to be present, are: -

  1. Cover page, logo,
  2. document title, client name (name, email ID of the point of contact)
  3. document control (who created/ when, who approved/ when, change tracker)
  4. vendor contact details
  5. table of content

Additional Guidance

Penetration testing reports: A powerful template and guide
Writing solid penetration testing reports is an important skill. Here’s a ready-to-use penetration testing template and guide inspired by our Academy module.
Penetration Test reports
Curated list of pentest reports from various security companies and individuals. Great content to learn about penetration testing methodologies and techniques.
Your Reporting Matters: How to Improve Pen Test Reporting - Black Hills Information Security
Brian B. King // This is a companion post to BBKing’s “Hack for Show, Report for Dough” report, given at BSides Cleveland in June 2019. The fun part of pentesting is […]
GitHub - juliocesarfort/public-pentesting-reports: A list of public penetration test reports published by several consulting firms and academic security groups.
A list of public penetration test reports published by several consulting firms and academic security groups. - juliocesarfort/public-pentesting-reports

At the intersection of pentest, auditing, risk management and career advice. Musings based on real experiences, not theory. All infosec, mashed up.

‎Follow the Risky Context channel on WhatsApp (if WhatsApp is your thing. Your number is not shared with others when you connect to my channel): https://whatsapp.com/channel/0029VaDqrFU8aKvQohD5nq0r