Cyber SecurityBlog of a Penetration Tester: Issue 2 – Anatomy of an Effective Penetration Test Report

The Penetration Test Report, in most cases, is the final deliverable to a client. As such, we make sure that the report is clean, readable, complete, clear, and compelling. The Penetration Testing Execution Standard tells us the reporting phase should capture the entire process in a manner that makes sense to the client. 

To provide the most value to the client, the report must contain analysis and interpretation of data in addition to the data itself. It should be laid out and organized for maximum readability, making effective use of white space. Most importantly the report must be actionable, that is, it must have content that can be acted upon to remediate or mitigate findings, and it must be compelling, which means that the information provided by the penetration test expert is based on solid findings and facts. With these requirements in mind, let’s walk through the various sections of an effective pen test report.

The Cover Page

In the world of business there is an interesting debate on whether a cover page is necessary in a professional document. Our position is that the professionalism of a well-done cover page can only add to the overall effectiveness of the report. There are six elements that go into a successful cover page: (1) branding with business trademark, (2) title of the document, (3) graphics to add to the attractiveness and sharpness, (4) name of the author, (5) headers and footers, (6) date published. The cover page of the report is the first thing that the client will see, as such, we must pay particular attention to its design.

Engagement Contacts and Document Control Page

This page contains the primary and emergency contacts for both the client and the organization providing the services, and the document’s classification, revision history, and peer reviews.  

Table of Contents

The report contains sections intended for different client audiences, Senior Decision Makers, Security Managers, System Administrators, and the Technical Teams tasked with remediation. It also contains important appendixes necessary to understand the methodologies and risk ratings employed. A table of contents is an absolute necessity and should not be ignored.

Executive Summary

Exactly what it means, a summary for executives. It is written “bottom line up front,” that is the first sentence contains the bottom line: “The total combined risk to the Confidentiality, Integrity, and Availability of the client’s assets in their deployed environment is [Critical, High, Moderate, Low] and the Cyber Security posture is [Good, Bad, Sound, Mature, Strong, Weak]. This is primarily due to [root cause] and can be improved by [reconfiguring and redeploying the application, implementing a patch management program, user awareness training, etc.]”

Assessment Snapshot

Summary of vulnerabilities by severity made clear with a color graph, summary of root causes with a color graph, risk history with a color graph, chart with top 5 vulnerabilities with remediation options, and high-level recommendations.

Introduction

The Purpose and Scope, Assumptions and Constraints, Supporting Documents, and any Disclaimer applicable to the report.

Discovery Narrative

Internet Attack Surface assessment (how exposed is the client on the Internet), Open-Source Intelligence (OSINT), reconnaissance to collect domains, email accounts, telephone numbers, domain squatting, hacked email accounts, exposed documents, social media presence or any other artifact that can assist an attacker in targeting the client’s confidentiality, integrity, and availability (CIA).

Assessment Narrative

Summary of Findings (exploited or verified vulnerabilities), step-by-step attack replication instructions, Proof of Concept if available, and evidence of compromise/verification with screenshots.

Appendix A – Finding Details

This section is for the remediators. It contains every vulnerability identified, the affected assets, actual risk (based on Likelihood and Consequence of successful exploitation), remediation or mitigation instructions, and internet references to assist in remediation efforts.

Appendix B – Risk Rating Tables

Everything needed to understand how risk has been measured and computed, table of root causes, and risk calculation matrix.

Appendix C – Methodology

Here we lay out the methodologies used: Penetration Testing Execution Standard, OWASP, etc.

Appendix D – Terms and Abbreviations

Definitions for technical terms and abbreviations used throughout the report.

Given that the final report is our final delivery to the client, it is the actual product of our professional efforts as penetration testers. We must put into our reporting a level of effort commensurate with its importance. That is, we must ensure that it is clean, readable, complete, clear, and compelling. Including the sections enumerated above is an excellent start for your final delivery.