4 - Report
At the conclusion of the test, a report is developed to describe identified vulnerabilities, present a risk rating, and give guidance on how to mitigate the discovered weaknesses in its efforts to improve its security posture. Furthermore, the report should be structured in a way to clearly communicate what was tested, how it was tested, and the results of the testing.
This section is intended to define the base structure for a penetration test report, although it is highly encouraged to use your own format based on your needs.
A penetration test report comprises mainly two parts: the executive summary and the technical information.
- Confidentiality statement: A brief explanation of the document's importance and the consequences of its disclosure.
- Disclaimer: Statement explaining that you are not responsible for new vulnerabilities that might appear in the future and were not found during the assessment.
- Executive summary
- Synopsis: It should be a paragraph or small set of paragraphs for a no tech-savvy person explaining the major weaknesses you have found during the test in general terms.
- Observed security strengths: Highlight security measures the client should maintain.
- Risk Rating:
- Technical report
- Scope: Should contain the assets the client wanted to test for each hired service, adding any extra information provided for the client such as credentials.
- Provided credentials
- < SERVICE >: Depending on the service contracted by the client, it will have a different structure.
- < Footprinting >: Show all the information obtained about the company categorised.
- Company domains and subdomains
- Public contact information
- Public files metadata
- Employees (Names, roles, emails, leaked credentials...)
- < Pentesting | vulnerability assessment >: The reporting of this type of test has different approaches: explaining all the steps narratively from the enumeration phase to the post-exploitation stage or focusing directly on the vulnerabilities found their exploitation without emphasising the enumeration and situational awareness phases.
- Hostname - IP
- Ports (TCP):
- Ports (UDP):
- Operating system:
- Description: Description of what has been exploited.
- Criticality: To help you better decide which vulnerabilities should be fixed first: (Low, Medium, High)
- Proof of Concept (PoC): Detailed steps to exploit the vulnerability.
- Mitigations: Recommendations about how to solve the vulnerability.
- House cleaning
- WiFi report: All the steps involving a WIFI penetration test exercise.
- Changes during the test: List evidence that appeals to the change in the testing objectives.
- Meaning severity scale: Explain what is based on the criticality of each vulnerability.
Pentesting report example