5 Tips for Writing Better Cybersecurity Reports
Maximize Your Pentest’s ROI with Better Written Communication
You crafted an irresistible spear phishing email, which provided initial access to an unprivileged account. You rapidly gained persistence on your beachhead host, then escalated privileges through application shimming. You fired up a little Kerberoasting and grabbed the creds you needed to move laterally, picking your way through the network until you landed on the crown jewels. You dropped a calling card, erased your tracks, and then popped a cold beverage. Easy days’ work — time to get paid … but the most important part is still ahead of you.
Hacking is a blast, but many (okay, most) pentesters loathe writing the report. But like it or not though, the report is why you were hired. It is the single document upon which you will be judged by your clients and indirectly by your future clients. Your ability to author an effective report is just as important as your hacking skillz when it comes to your bottom line. Yet very few pentesters spend even a fraction of the time honing their report writing skills as they spend learning and practicing new tactics.
At PlexTrac, we know a thing or two about reporting, both from experience in our roles as practitioners and from the extensive work we’ve done building report templates with our customers. As a part of that work, we’ve seen a lot of great report formats, and we’ve also had the opportunity to provide recommendations to customers on areas for improvement.
Based on that knowledge and expertise, we’ve put together five principles that go into creating great cybersecurity reports. If you like what you see here, check out our full white paper Writing a Killer Penetration Test Report.
Understanding the General Tenets of Cybersecurity Report Writing
It’s best to plan your report strategy before you ever start writing. Thinking in advance about the purpose, context, and audience of the penetration test results and the report you will write about them will save you time and energy later.
1. Educate Your Audience
Your client isn’t paying you to show off your l33tness — they are paying you to use your skills to identify risks and vulnerabilities. But as important as vulnerability identification is, your true value proposition is your ability to educate your clients. They not only need to know how to fix the issues you discovered, but also how to prevent them from popping up in the future. Furthermore, your client isn’t a person — it is an organization with many stakeholders of various degrees of technical competency. Your challenge (and duty) is to effectively educate all stakeholders at their level. And since you are only going to deliver one report, you need to communicate at multiple levels of technical competency within the same document.
2. Document Your Methodologies
You may have breezed through your OSCP with time to make a pitcher of margaritas, but professional testing is about process — not wizardry. Though penetration testing is a relatively new discipline, the collective wisdom of the community has coalesced around standardized methodologies for performing testing. These methodologies help testers perform a comprehensive analysis of the environment instead of simply walking through the first open door they find.
There are numerous penetration methodologies available (search “penetration testing methodologies” at https://www.owasp.org/index), and some are surely more appropriate than others for your clients based on their industry vertical, regulatory requirements, maturity, etc. Documentation of your chosen methodology should include not only which tool you used, but why that methodology was the appropriate framework for this particular test.
Your methodology should not exist as a lonely paragraph isolated in the executive summary; it should be woven through your report. Each finding should have a direct and documented link to the methodology. This provides validation of the significance of the finding and reinforces the perception that you performed a methodical investigation.
3. Define and Respect the Scope
We live in the era of disappearing perimeters, fueled by the rapid adoption of EaaS (Everything-as-a-Service) in the cloud. You almost certainly were not hired to “boil the ocean,” or examine every aspect of every information system that your client uses. Thus your statement of work (SOW) should meticulously define which systems, applications, or third party services are in scope as well as anything that is specifically off-limits. However, the SOW will be seen or read by far fewer people than the report, so it is vital for your report to reiterate the scope.
Each of your findings should directly point to an affected asset or location that is included within the scope. You may very well discover areas of concern outside of your scope — but resist the temptation to shoe-horn these findings into the main report. As a professional courtesy, you may consider including out-of-scope discoveries in a clearly-marked appendix or as a separate communication.
4. Guard Your Credibility
It is your responsibility to highlight gaps in your clients’ defenses. There may be many reasons why a gap exists, but it is inevitable that at some point a stakeholder will become defensive about a finding. This defensive reaction may often include an attempt to discount the validity of your work. If they are successful in raising doubt about a single finding, the credibility of your entire project is at risk.
You can mitigate the potential for this situation through meticulous documentation of your efforts and findings. It is not enough to simply throw artifacts into a report; those artifacts must be given the context necessary to support the narrative of your finding. Any assertions of vulnerability should be backed by reference to industry-recognized standards such as Common Weakness Enumerations (CWEs) or Common Vulnerabilities and Exposures (CVEs).
You can further enhance the credibility of a finding by searching out and acknowledging any mitigating controls that are already in place. In doing so, you elevate yourself from someone who simply catalogs vulnerabilities to a professional who helps the client identify true risk. And you take away an easy line of argument from any potentially defensive stakeholders.
5. Remain Objective and Courteous at All Times
Your report should always stick to the objective facts of what you found, avoiding any judgment of the people or processes that support the environment. Professionals build people up, not tear them down. You may be calling someone’s baby ugly, but if you do it tactfully and respectfully, most clients will appreciate the work that you do and seek your counsel on how to do better moving forward. Exercising tact and respect is how you build positive relationships that will not only improve your clients’ security posture, but will also likely land you additional contracts in the future.
To take it a step further, don’t be afraid to give kudos to your client where they are due. Existing controls that frustrate your efforts are a good thing. Acknowledging the effectiveness of controls does not diminish your value as a tester — rather it reinforces behaviors that you want your clients to continue. If that expensive next-generation firewall (NGFW) thwarted an attack vector, the client should be aware so that they see the return on investment (ROI). A pentest is not a capture-the-flag contest; your role is to provide an assessment of the effectiveness of the clients’ defenses. You won’t make your client angry by giving them a thumbs-up where they are doing well.
Maximizing Your Cybersecurity Report ROI
While all of what we just described isn’t easy; it requires planning and thoughtful execution — probably more than most really want to invest in the part of the work that isn’t actually testing. But creating quality, actionable reports will reap dividends in happy clients and a better security posture.
Fortunately you’ve got an ally in making cybersecurity reporting more effective and efficient. PlexTrac was built by pentesters to ease the pains we all feel when the fun part is done and the report must be written, delivered, and tracked. We don’t claim to make the process easy — you still need to provide the analytical brainpower. But let PlexTrac help reduce the time spent on the mindless and tedious report writing tasks. We all deserve tools that empower us to focus on our skills and remove barriers for ultimate efficiency.
Read the full white paper Writing a Killer Penetration Test Report to get more tips on quality reporting and a template of key parts to include to ensure your clients and your business are gleaning the maximum ROI on your pentesting efforts.