How to write a good pentest report
Once your penetration testing is finished, you must deliver a detailed report on your client's security posture.
In some cases, you will be required to collaborate with other pentesters to write this document.
I am going to present to you here an example of a typical report that I use within my company, Hacking Geek Ltd.
First of all, we find on the cover page the name of the company and the mention "Business Confidential", which means that reading this document is strictly reserved for authorized persons.
In this example, the report is written in English.
We find a table of contents (Table of Contents) there detailing all the sections and vulnerabilities that will be addressed.
This template is 20 pages long, but it is not rare to see penetration testing reports exceed 200 pages, depending on the scope of the tested perimeter and the number of identified flaws.
The document begins with a confidentiality statement (Confidentiality Statement) and a disclaimer (Disclaimer), accompanied by my contact information.
Next comes the audit overview (Assessment Overview), where I present the general context of the penetration testing.
In the next section (Assessment Component), I detail the methodology and the types of tests conducted (for example, a penetration testing on web application or Web Application Penetration Testing), as well as the authorized or excluded attack vectors.
Then, we list the discovered flaws (for example, those identified with Nessus or Nmap) specifying for each its level of severity.
We add an assessment of risk factors and probabilities of exploitation (Risk Factors and Likelihood), to evaluate the chances of a real attacker exploiting these flaws.
The section concerning the scope (Scope) precisely defines the targets.
In this example, I did not have authorization to conduct social engineering or phishing attacks, nor to launch denial of service (DoS) attacks.
If you identify a flaw that could lead to a DoS, you must mention it in the report without attempting to actively exploit it.
The report also contains a management summary (Executive Summary) and a technical summary (Testing Summary) covering all the discovered vulnerabilities.
In this specific case, it is a company network audit based on a Microsoft Active Directory architecture.
We therefore find vulnerabilities specific to this environment, such as LLMNR attacks or other weaknesses inherent to Active Directory.
The final and most important part of the report concerns the recommendations.
The ultimate goal of a penetration testing is to help the client secure themselves.
We must therefore propose concrete corrective actions: apply security fixes (patches), perform system updates, modify configurations, or even advise the acquisition of new equipment or the optimization of existing software solutions.
As a pentester, you are not responsible for applying these fixes yourself.
However, it is customary to propose a counter-test (a re-test) after a period of three to six months to verify if the client's teams have correctly resolved the identified problems.
The report ends with a detailed summary of vulnerabilities classified by severity.
For writing your report, I advise you to ensure using clear and accessible language.
Avoid overly technical jargon or explain it simply, especially if your interlocutors are not technical profiles.
The objective is for the client to perfectly understand the nature and impact of the risks weighing on their infrastructure, in order to give them the keys and the motivation necessary to correct these security flaws.
This is the very essence of our profession.