Penetration Test Reporting

Document vs Client Portal

Every penetration tester knows reporting is the least favorite yet most important function of professional ethical hackers. As Brian King of Black Hills Information Security said it in his 2018 WWHF talk, “Hack for Show, Report for Dough“. The challenge is that not every pen tester agrees on the best form and function of penetration test reports.

Traditionally, reports have been delivered to clients and stakeholders in Word or PDF format. They are nicely formatted and branded. The recipient of the report then transposes the findings from the report into the system they use to track vulnerabilities and remediation.

However, a growing trend among penetration testers has been to do away with document-based reports in favor of a client portal. A client portal enables close collaboration between red and blue teams – commonly referred to as purple teaming. Client portals also integrate into ticketing systems, which eliminates the need to manually copy and paste findings.

Document-Based Reporting

Advocates of document-based reporting often cite the unique value proposition their reports deliver to clients. They’ve labored over the form and function of their document to ensure it not only includes all critical information in the executive summary and findings, but that the information is presented in a manner that is easy to digest. They posit that the white-glove care with which they prepare their reports cannot be emulated in a client portal.

Although document-based reports do demonstrate care, attention to detail, and the magnitude of work done throughout the engagement, they are not without weaknesses. In particular, PDF and Word documents create work for their recipients. Findings must be copied and pasted from the document into a ticketing system for remediation. In many cases, issues found in a penetration test are triaged so only the most critical ones get tracked and remediated. This leaves many of the findings found in a penetration test unaccounted for by the analysts responsible for remediating them.

Client Portal Reporting

Advocates of client portal reporting often cite the above weaknesses of document-based reporting as the impetus to adopt a client portal reporting solution. A robust client portal integrates with the tools organizations use to track vulnerabilities and remediation. It may even serve as that tracking tool, itself. This eliminates the need to copy and paste findings, and ensures no finding is forgotten.

Advocates of client portal reporting also often cite web-based reports as being more secure than document-based reports. Documents may be emailed, printed, or distributed through other mediums that create endpoints through which the data contained in the reports may be intercepted. By contrast, client portals with role-based access controls enforce restricted access to the reports from a limited number of endpoints.

Reporting with PlexTrac

PlexTrac supports both document-based reporting and client portal reporting. Our philosophy is, “Portal when you can, document when you must.” We are not shy about our position in favor of web-based reporting. However, we concede there are times when it is necessary to deliver reports in PDF or Word format.

The PlexTrac platform includes several features that make it an excellent solution as a client portal. Role-based access controls at the tenant and client levels give testers control over who is able to view reports as well as their read/write permissions. PlexTrac’s status tracker allows analysts to collaborate on remediation without ever having to copy and paste findings out of PlexTrac. Finally, PlexTrac’s readout view allows testers to present their findings to clients or stakeholders in a beautiful format that is much easier to navigate than PDF or Word documents.

Similarly, PlexTrac has a powerful templating engine for exporting reports to beautiful, custom-formatted Word documents. Using Jinja2 syntax, testers may programmatically configure the information to include and how to format it throughout the document. Screenshots and code samples may be included at the finding level, as well. Documentation for our templating engine can be found here. Moreover, our sales engineers work closely with organizations to convert their Word templates into PlexTrac format as part of our standard onboarding process.