Your Report is NOT Your Secret Sauce
A recipe for creating better pentest documentation without the pain
What’s Really in That Secret Sauce?
Where we are today
Let’s face it. Manually building pentest reports is time consuming, and most pentesters are not technical writers. You’d rather be hacking, right? What we’ve found is that, when building reports, most pentesters are creating something that they understand. But reports that make sense to the author don’t automatically make sense for the end user.
This is especially true when pentesters don’t have clear direction on what to include, how to format, etc. The result? These reports often lack actionability — severity, CVSS, likelihood, impact, general risk, etc. — which is less than ideal for the end user.
Time constraints also play a role in reporting. It’s not uncommon for a pentester to create one report for both leadership and technical remediators to streamline the process. Unfortunately, when combining audiences, the context may not make sense for one of the groups.
The Not-so-Secret Ingredients for Success
What we see that works
There are some steps you can take to create an easy-to-comprehend and highly actionable report for your stakeholders that won’t cost you extra time in your day.
- Straightforward document structure: The top of your document should be largely conceptual. As you move to the end of the document, you can add technical elements.
- Simple and intuitive prioritization of risk: You’re stakeholders need to be able to look at the report and know exactly what actions need to happen and in what order. It’s vital that you are very prescriptive with priorities. (Do these things first, then these things, etc..)
- Limited and intentional graphics. Graphics for the sake of graphics is not a good idea. Sure, it’s fun to jazz up your report, but if it’s not relevant to the stakeholder, don’t include it. It’s also important to be very consistent across graphics.
- Documents by and for humans: Don’t over complicate it. You shouldn’t need a two page appendix explaining how to read your document. A good rule of thumb is to try reading the report as though you’re the stakeholder. Does it make sense? Is it actionable?
- Simple summary tables for large quantities of data: Make sure the information makes sense for the stakeholder and isn’t included for the sake of an algorithm.
- Provide substantiating documents: In the name of simplicity, don’t copy and paste one thousand Nessus findings into your report when you can simply attach the Nessus document.
A Dash of PlexTrac Brings the Heat
How can PlexTrac help
The tips above help you create a more streamlined report, but there are advantages to automating your pentest reporting with PlexTrac that you simply can’t get with manual building. The most obvious advantage to automating pentest reporting is the time savings. With standardization and collaboration from the PlexTrac tools, you can cut reporting cycles in half. If you’re at an enterprise, the extra time can be used to run additional tests. If you’re a service provider, you can take on additional clients and grow your revenue.
PlexTrac is also beneficial in that it enables you to build your report as you go and deliver a dynamic report to your stakeholders. (Say goodbye to the 100+ page PDFs that no one reads!) And you can easily track remediations to ensure that you’re not just finding vulnerabilities but actually fixing them.
Ready to spice things up with PlexTrac?
Request a demo, today!