Skip to content

Your Report is NOT Your Secret Sauce

A recipe for creating better pentest documentation without the pain

By Jordan Treasure, Manager of Professional Services at PlexTrac

What’s Really in That Secret Sauce? 

Where we are today

Let’s face it. Manually building pentest reports is time consuming, and most pentesters are not technical writers. You’d rather be hacking, right? What we’ve found is that, when building reports, most pentesters are creating something that they understand. But reports that make sense to the author don’t automatically make sense for the end user.

This is especially true when pentesters don’t have clear direction on what to include, how to format, etc. The result? These reports often lack actionability — severity, CVSS, likelihood, impact, general risk, etc. — which is less than ideal for the end user. 

Time constraints also play a role in reporting. It’s not uncommon for a pentester to create one report for both leadership and technical remediators to streamline the process. Unfortunately, when combining audiences, the context may not make sense for one of the groups. 

The Not-so-Secret Ingredients for Success

What we see that works

There are some steps you can take to create an easy-to-comprehend and highly actionable report for your stakeholders that won’t cost you extra time in your day. 

  • Straightforward document structure: The top of your document should be largely conceptual. As you move to the end of the document, you can add technical elements. 
  • Simple and intuitive prioritization of risk: You’re stakeholders need to be able to look at the report and know exactly what actions need to happen and in what order. It’s vital that you are very prescriptive with priorities. (Do these things first, then these things, etc..)
Key for findings severity prioritization
  • Limited and intentional graphics. Graphics for the sake of graphics is not a good idea. Sure, it’s fun to jazz up your report, but if it’s not relevant to the stakeholder, don’t include it. It’s also important to be very consistent across graphics. 
  • Documents by and for humans: Don’t over complicate it. You shouldn’t need a two page appendix explaining how to read your document. A good rule of thumb is to try reading the report as though you’re the stakeholder. Does it make sense? Is it actionable? 
  • Simple summary tables for large quantities of data: Make sure the information makes sense for the stakeholder and isn’t included for the sake of an algorithm. 
Finding summary table in a penetration test report
  • Provide substantiating documents: In the name of simplicity, don’t copy and paste one thousand Nessus findings into your report when you can simply attach the Nessus document.

A Dash of PlexTrac Brings the Heat

How can PlexTrac help

The tips above help you create a more streamlined report, but there are advantages to automating your pentest reporting with PlexTrac that you simply can’t get with manual building. The most obvious advantage to automating pentest reporting is the time savings. With standardization and collaboration from the PlexTrac tools, you can cut reporting cycles in half. If you’re at an enterprise, the extra time can be used to run additional tests. If you’re a service provider, you can take on additional clients and grow your revenue. 

PlexTrac is also beneficial in that it enables you to build your report as you go and deliver a dynamic report to your stakeholders. (Say goodbye to the 100+ page PDFs that no one reads!) And you can easily track remediations to ensure that you’re not just finding vulnerabilities but actually fixing them. 

Ready to spice things up with PlexTrac? 

Request a demo, today!

Jordan Treasure
Jordan TreasureManager of Professional Services at PlexTracJordan Treasure assists security teams in improving outcomes during security assessments. He has partnered with hundreds of security organizations across the globe to improve efficiency and quality of life for both security teams and their customers. Jordan is a GIAC certified forensic analyst with seven years of experience performing risk assessments, vulnerability assessments, and threat hunting missions on national security assets. He also spent over three years working with a multitude of federal, state, and local agencies supporting missions ranging from drug interdiction to wildland fire support. Many of his experiences stem from his 14-year career with the United States Air Force. He is also an avid D&D DM/Player/Fan.

Liked what you saw?

We’ve got more content for you

Request a Demo

PlexTrac supercharges the efforts of cybersecurity teams of any size in the battle against attackers.

See the platform in action for your environment and use case.