Penetration Testing Report Example: A Blueprint for Success Time-tested Guidelines on How to Build a Penetration Test Report By Nick Popovich, PlexTrac Hacker in Residence The penetration test report. So necessary, and yet for the majority of those who write them, so darn tedious. We’re guessing that most of the penetration testers, hackers, and other security whizzes reading this probably didn’t get into the industry for all of the admin work. No, you joined because you enjoy the thrill of the vulnerability hunt, the cloak-and-dagger nature of a phishing campaign, the race to escalate privileges, and the challenge of doing all this without leaving a trace. We feel your pain. Most of us here at PlexTrac have, in the past, groaned at the thought of putting yet another pentesting report together. Fortunately, we’ve become experts in making the pentesting report as painless as possible, both for you and your clients. And as we’ve worked to make our platform the best tool for pentesting reporting, management, and collaboration — and helped our clients refine their own reporting templates — we’ve realized that the most effective and helpful pentesting reports have a few things in common. The 5 Building Blocks of a Great Pentest Report As the old saying goes: there’s pentest reports, and then there’s pentest reports. (Okay, we made up that saying, but stick with us.) So, you’ve finished the pentest — explored every asset, pushed every boundary, discovered every weakness within the Statement of Work (SOW). You have a stack of documentation a mile high and plenty of suggestions for your client. Now, all you have to do is write the pentest report, and not just any report, but the best one possible. Where do you start? Step 1: Cover Page, Table of Contents, and Executive Summary This is your chance to make a great first impression and to set the tone for the entire report. You’ll likely have a large number of people reading parts of this report, but these first sections will likely be read by everyone, from the C-suite bosses to the guy printing out the copies. Because you have a wide range of readers here, you need to keep this section (and especially the Executive Summary) brief, clear, and as jargon-free as possible, focusing on the most important items and high level takeaways. Summarize the engagement and the SOW, state the objectives of the test, list the most crucial findings and their significance/risk level, and tell the client what they can do to improve their security posture. Step 2: Pentest Breakdown Here’s where you start to show how awesome your pentesting skills are, showing off your brilliant tactics, sweet tools, and unshakable determination to do the job right. Tempting as it may be to include every little detail of every step, you need to hold back a bit here. Just like in the Executive Summary, you’re writing for a mixed audience, so we need to keep these next sections clear and straightforward. (Don’t worry, you’ll get your chance to really show off later.) Scope and Methodology This section lets you show that you are a team player. In the Scope summary, explain how you followed the rules of engagement lined out in the SOW, stuck to the budget, and avoided the assets your client didn’t want to be touched. Describe the resources (hours, tools, personnel, etc.) that you needed for the different steps of the engagement. This will remind the client what they asked for, and start to reveal all of the work that you did for them. The Methodology section lays out your pentest’s plan of attack, giving you a chance to show your expertise; you can briefly explain why you chose a particular assessment method and display your understanding of your client’s industry standards for pentesting. Threat Model The Threat Model section lets you describe the dangers your client faces, and explain why they would be targeted for a cyberattack. By creating a threat profile, you can describe the methods and tools an aggressor would use against the client’s defenses, and thus justify the decisions you laid out in the Methodology section. The Threat Model section gives you a great opportunity to educate the less security-savvy clients, explaining to them why their data is attractive to bad actors, what the real-world risks are, and why they should take cybersecurity (and your report) seriously. Attack Narrative You’ve been itching to tell everyone just how clever you were, and here’s where you can indulge a bit. A well-written Attack Narrative tells the whole story of the actual pentest, and gives you the chance to get a bit more technical (though not too much — save the tech-heavy details for the detailed findings subsection and the appendices.) To keep things clear, let your narrative follow a logical path: keep things chronological, explain why you took each step and how it was achieved, note when you succeeded and where you failed, and where and how you were able to escalate the attack. The Attack Narrative is the place to include your screenshot evidence and use visuals to help tell the story. Step 3: Pentest Findings Finally, the chance to display the fruits of your labors: all of the weaknesses, cracks, and blatantly open doors that you discovered during the attack. This will likely scare the pants off of your client, so let’s craft this section with care. Summary of Findings This is another section where you need to remember your audience; the Summary of Findings is the one section that everyone will most likely read, curious about just how many risks they face. So, keep it simple and organized. List out your findings clearly — give them an identifying number, a name, and a severity ranking. That’s all that the C-suite needs to start giving orders and all that the security team needs to start setting up a remediation plan. Detailed Findings At this point in the report writing process, you might be ready to just dump all of your findings in a heap and let the security team sort it all out. Resist the urge. Trust us, the Detailed Findings section of many pentesting reports can be a nightmare to get through, and taking just a few extra minutes to create a helpful template for each finding can make a world of difference to your client. First, start with the list format from the Summary of Findings: ID number, descriptive name, and risk ranking(s). For each finding, include a concise description of what you uncovered, the affected assets, recommended action for remediation, and references for helpful methods and resources. Give plenty of info, but only the really relevant stuff — don’t snow the security team under with heaps of redundant screenshots and unnecessary detail. And make sure that these detailed findings are in a copy-friendly format, for Pete’s sake. Have you tried copying text out of a MSWord table or an Excel cell? It’s impossible to get it right the first time (or even the second). The security team will need to copy most of the text for each finding when setting up remediation plans, so keep that text as just plain text and earn the team’s undying gratitude. Step 4: Conclusions and Future Recommendations After sharing all of the details of that rollercoaster of a pentest, this section gives you the chance to slow the pace a little, write a concise wrap-up summarizing everything that you just wrote, and give your final thoughts about your client’s security posture. The Future Recommendations subsection lets you cover additional useful items. Maybe you noticed some weaknesses in assets that were outside your pentest’s SOW, but you know your client would want to know, or you can mention upcoming regulatory changes to cybersecurity standards in your client’s industry. This is your final chance to show off your skills, your expertise, and your services, so take advantage of it. Step 5: Appendices Finally! You’ve reached the section where you can unload all of those impressive findings, screenshots, proofs, and miscellanea that prove just how much hard work you put into the pentest. This is where the security experts hang out and admire your handiwork. However, don’t just leave your findings in a messy heap for others to sort through. Organize the data however you think would be most logical: by pentesting stage, by finding ID number, by asset, etc. And make sure that what you include here is still of value. Technical readers will want to know more about you and your team, your methods, your findings, your risk calculations, and other relevant details. Feel free to give plenty of information, but don’t waste your readers’ time. What Else Can You Do with a Pentest Report? You may be tempted to write off the penetration test report as simply that: a report of what you did and a list of what your client needs to do next. But if you take the time to see the opportunities, and are willing to put in a bit more effort, a pentest report can do so much more than simply report. Market Your Brand Your pentest report is an extension of you and your company. The quality of your services and skills is mirrored by the report, and anyone who lays eyes on your pentest report will judge you accordingly. Even if you can boast killer skills, how can you show them off if you’re giving your clients an oversized report full of unfiltered findings, poor formatting, drab design elements, and cluttered tables? Seize this easy opportunity to impress by creating an attractive, flexible reporting template that you can use over and over again. Set font and color templates, give your logo a place to shine, and format your findings in a way that makes it easy for your client to see just how much skill and effort went into making the pentest possible. By doing this, clients will start associating your logo, your name, and the pleasurable reading experience directly with your work. Build Trust There are plenty of ways to build trust with a written document, and, with the wide range that a pentest report covers, you’ve got plenty of opportunity. You can build trust by proving the quality of your work, of course. Clearly and simply showing what you accomplished, and how your findings can help, is one obvious step. But you can also show your trustworthiness by demonstrating how you stayed within the parameters of the Statement of Work, by noting and complimenting the effectiveness of the client’s pre-existing safeguards, and by describing what steps you took to give them the biggest bang for their testing budget buck. Even the tone of your writing can build trust. Try winning over a new client while being smug about all of the vulnerabilities you uncovered, or trashing their security methods, or showing off by including every last detail of every little exploit and snowing them under a ream of printed results. Not too easy, is it? Make sure that your tone throughout the report is clear, helpful, complimentary, and calm, and you’ll make a lasting positive impression. Prove You’ll Go the Extra Mile After crafting a long report, you may be tempted to just list off the three dozen remediation points at the end, hand it off to the client, and wash your hands of it until the next pentesting round. But by doing so, you’ve left your clients overwhelmed, confused, and discouraged. Remember that your client likely needs extra guidance here. Prioritize the remediation points by severity and scope, and keep it simple — when suggesting where they should start, keep in mind your client’s time, resources, and technical skill. Include brief but useful instructions, resources, and images to guide their remediation team along the best path. How to Craft a Superior Pentesting Report Hopefully we’ve given you some helpful ideas for improving your reporting methods. With these tips, you can create a pentesting report that not only shows your work in a great light, but provides another positive connection between you and your client, and hopefully facilitates a long-term business relationship. If you’re eager to find some tools that will streamline the reporting process, PlexTrac can help. We offer a platform that lets you create and format reporting templates with ease, facilitates communication between you and the client, and organizes every step of the pentesting and remediation processes. Request a free demo today, and let us show you how to make pentest reporting (and other cybersecurity operations) better and easier than you can imagine. Nick PopovichPlexTrac Hacker in ResidenceNick Popovich’s passion is learning and exploring technology ecosystems, and trying to find ways to utilize systems in unexpected ways. His career has focused on adversarial threat simulation, offensive and defensive security, and advanced technical security assessments. Nick’s mission is to help individuals and organizations involved with defensive security operations to have an opportunity to observe the mechanics and methods of the attackers they’re defending against, and to assist in realistically testing those defenses. He’s a lifelong learner and loves finding new ways to get under the hood of systems and networks. He is a father of three and a husband to one.
Vulnerability Assessment vs Penetration Testing: Understanding the Key Differences Vulnerability Assessment vs Penetration Testing READ ARTICLE
Unlocking Continuous Threat Exposure Management: New Features for Prioritizing Remediation Based on Business Impact The evolution of product security READ ARTICLE