Penetration testing is an activity which is meant to help the business take the appropriate actions to secure their systems from malicious actors.
For the business to be able to understand its weaknesses in the reported areas, a proper report must be presented to the management. The report is the most important part of the penetration test. That is what they are expecting, that is what they are paying for!
Yes, enumeration is key, understanding of the tools and techniques is important, puting in the effort to make the exploit work is crucial for a successful test. But if you dont know how to present it in a professional way, which is easily understandable by (probably) less technical people than yourself then you havent provided the value the business was looking for.
A Penetration Testing report should include:
Executive summary
This serves a high-level view of risks and business impact. Its meant to be clear without all the technical details which executives wont understand.
Walkthrough of risks
Dont just mark a finding as high,medium or low. Expain in details what is the vulnerability you found and how the exploitation of this vulnerability will impact the business.
Evidence
Did you put in the work? You have to show them how you did it. Include all the steps you took to discover and exploit the vulnerability. Make the steps clear enough so that the IT team of the client company can replicate the same issue and re-validate the result.
Explain the risk calculation
Factoring in the likelihood and the potential impact of a vulnerability is a major component of your report. There must be a section in your report where you explain the method by which you calculate the risk of your findings. The calculation will not always be accurate but your client must understand why a finding is more important than another one.
While you are calculating risks, you need to take into account factors like asset value. In many cases an information asset is more important than another one due to the data it may hold, or the role it plays in the corporate network.
Such value may not be available to you prior to the test and even the company may not have such information because asset value calculation and asset classification may have never been done internally.
So once again, risk scores may not always be accurate but your way of calculating them must be well structured, simply explained and concise.
More remediation options
Many reports include generic descriptions of the findings pointing to remediation guides like for example from OWASP.
Always take into consideration the unique context of the clients environment and needs. Provide them with more remediation options because not one business/IT environment is the same as with another.
If your client has a vulnerable web service you may propose that they apply a method of filtering to protect against SQL injections, and/or configure their network to provide protection against such attacks.
The more detail you provide on your suggestions for the remediation of the findings, the more help you provide the IT teams to resolve the issues faster, easier and maybe with less cost.
Finally
Treat the penetration testing report as the product which you have been tasked to deliver. Exploiting systems and networks, findings sensitive information is what most people are focused on but that is merely the means to an end.
You can study a sample report from Offensive Security here. Remember there is no right or wrong way to write one, but there are important elements and concepts which will turn a pentest report to an excellent pentest report.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.