The report generated at the end of a penetration test is the most important aspect of the process. It’s a structured way to present details of what the test uncovered, including the methodology used, the effectiveness of the existing security systems, and what needs to be improved upon. Good documentation provides the organization with valuable insights into current vulnerabilities and actionable tactics to safeguard data. While detail, clarity, and structure are vital parts of a good penetration testing report, content-wise there are six basic elements that will elevate a report and make it truly valuable.

1. Risk Level Descriptions

As there are no standardized risk level descriptions, it’s important that the report has risk level measurements so that the reader understands the level of risk for each finding. A clearly defined description supports the rest of the penetration test report. It’s important that leaders in an organization understand the potential losses they may suffer, should they fail to improve their security. Each risk that the tester identified should be divided into different levels:

  • Critical-risk
  • High-risk
  • Medium-risk
  • Low-risk
  • Informational findings
  • Remediated findings

2. Executive Summary

A good penetration test report starts with a clear and concise summary of its contents, laid out in simple, non-technical language that can be understood even by those who don’t have a background in software or technology. The main purpose of an executive summary is to effectively communicate the risks and consequences of a security breach to the organization. In order to do that well, the summary should mention the scope, objectives, methods, data accessed, possible losses, and recommendations. This summary will be vital to the project management or organization’s executives to understand the risks and recommendations. It is also useful if the summary provides a Client Vulnerability Comparison graph of industry averages to give the company an idea of where they fit in the internet security landscape. Packetlabs provides this information to help clients better understand their security posture.

3. Approach 

The approach section should highlight the scope of the test and objectives. To ensure compliance with most regulatory requirements, it’s important to ask your penetration tester what methodology they use to ensure regulatory requirements are met. Packetlabs uses a methodology model derived from the SANS Pentest Methodology, the MIRE ATT&CK framework for enterprises, and the NIST SP800-115 to ensure compliance with most regulatory requirements. 

4. Methodology

The methodology shows high-level phases and what areas were tested. There are generally 4 phases that a penetration testing report should highlight, they are:

  • Recon & Mapping
  • Discovery
  • Exploitation 
  • Reporting

The Methodology section should indicate what testing was conducted and whether the testing was automated or manually conducted. Not all testing can be conducted in an automated fashion, and it’s important to understand the comprehensivity behind the work involved. 

5. Technical Findings

The penetration testing report should clarify how valuable the assets that were accessed were, and the possible consequences of a breach. Data that was accessed during testing should also be included. There are different types of data that leave an organization or business vulnerable if it was hacked. Assets include information about a business that could be advantageous to their competition, or data about their consumers that could violate privacy laws if revealed. Different assets have different levels of importance to an organization, which is what makes a detailed report crucial. The impact on the organization’s brand after a breach of customer data could be irreparable. Consumers are becoming very sensitive to the protection of their personal information and data. Organizations would therefore be wise to illustrate how they care about their data and customer’s data, too, by conducting penetration tests.

6. Recommendations

Recommendations should be detailed and unique to each system and organization. Documented steps to reproduce findings to ensure application developers can validate remediation efforts prior to re-testing should also be included. Unique and customized recommendations pertaining to the client’s specific security status should be included. Conducting a root cause analysis of findings within the current systems, outlining common themes, and providing problem-solving strategies should be outlined in the recommendations portion of the report. A great penetration testing report will also provide long-term fulfillment solutions on implementing these new recommendations into your company’s security framework.

Conclusion

It is important to understand the findings and recommendations in the penetration testing report to make informed security decisions for your company. It is also vital to fill the gaps and prevent vulnerabilities that remain in the application or system. A trusted pen testing partner is key when conducting a successful pen test and achieving your internet security business objectives.