Writing a Penetration Testing Report
As you approach the conclusion of a penetration test, it’s important to document your work with a written report of your findings and recommended remediation techniques. This report provides management with a remediation road map and serves as an important artifact of the penetration test. It may also serve as documentation that a test was completed, if necessary to meet regulatory requirements. Let’s take a look at some report writing and handling best practices.
Structuring the Written Report
There isn’t any universal template that you need to follow when designing a penetration testing report, but you may choose to use a template provided by your organization.
Regardless of whether you begin from a template, it’s good practice to structure your report into several important sections. One common structure for penetration testing reports includes the following sections, in order:
- Executive summary
- Findings and remediations
The executive summary is, by far, the most important section of the report. It is often the only section that many people will read, and it should be written in a manner that conveys all of the important conclusions of the report in a clear manner that is understandable to a layperson.
Findings and Remediation
The findings and remediation section is the meat and potatoes of a penetration testing report. This is where you describe the security issues that you discovered during the penetration test and offer suggestions on how the organization might remediate those issues to reduce their level of cybersecurity risk.
The methodology section of the report is your opportunity to get into the nitty-gritty technical details. Explain the types of testing that you performed, the tools that you used, and the observations that you made. The audience for this section of the report consists of the technologists who will be reviewing your results and taking actions based upon your findings. You want to share enough information to give them confidence in the quality of the test and a strong understanding of the way that you approached your work. Ideally, a skilled security professional should be able to pick up your report, read the methodology section, and use it to reproduce your results.
The conclusion is your opportunity to wrap things up in a tidy package for the reader. You should summarize your conclusions and make recommendations for future work. For example, if your penetration test scope excluded web application testing, you might recommend conducting that testing in a future engagement.