What should a good penetration test report include

What should a good penetration test report include?

February 2nd, 2022 Posted in Penetration Testing

Penetration testing is an excellent way for organisations to gain assurance and information about the security of their IT infrastructure, networks and business applications. In a penetration test, a qualified and independent tester will use various manual and automated techniques to simulate a real-world attack on an organisation’s IT systems.  

When executed and reported correctly, a penetration test is an extremely valuable tool for analysing the level of your security maturity. A typical penetration test will take the following structure: initial engagement, scoping, testing, reporting and follow up. 

Valuable reporting is a crucial part of penetration testing. The report findings should help you to identify, understand and remediate discovered security weaknesses – with the overarching aim of improving your cyber resilience.   

You should look for a partner that produces easy to understand, insightful, and structured reports. We recommend asking to see one or more sample reports before committing to working with any testing partner so that you can ascertain whether their reporting format and style is compatible with your requirements and employees’ levels of technical experience.  

Moreover, to ensure report requirements are precise, we advise that you include expectations relating to the format of the report and its delivery date in the scope of work.  

We have written a detailed blog on how to choose a good penetration testing partner to assist with this. Moreover, for a broader introduction to this topic, please read our guide to pen-testing. 

Penetration testing report structure

It is paramount that you find the penetration testing report useful and insightful. This is because the purpose of the report is to support you in improving your security posture by identifying vulnerabilities and their associated remediations.  

A plain list of all the vulnerabilities found during the exercise is unhelpful. Instead, the report should take on a clear and concise structure, providing a narrative of what was tested, how it was tested, and the consequent results and actions – in order of urgency. 

Commonly, reports take the following structure:   

Executive Summary & Test Information 

  • Overview of findings 
  • Overview of recommendations 
  • Scope of work 
  • Test objectives 
  • Assumptions and constraints 
  • Timeline 
  • Test methodology followed 

Test Findings 

  • Summary of findings and risk levels 
  • Summary of recommendations  
  • Prioritised recommendations 
  • Supporting information, including on how risks levels are set 

Technical Report/Detailed Findings 

  • Vulnerabilities identified 
  • Risk ratings 
  • References / links to further resources / reading
  • Evidence 
  • Remediation recommendations 

Appendix 

  • Tools used 
  • Detailed methodology information

The reason for having multiple sections is due to the different audiences that will review the report findings. The executive summary is aimed at senior management and business leaders, while the methodology and detailed findings are intended for IT and information security personnel.  

Executive Summary & Test Information

All penetration testing reports should begin with an executive or management summary and key information about the test.  

The executive / management summary should be written in plain English, for the benefit of risk owners and management at the client’s organisation. It should focus on business risk as opposed to technical details, highlight the most pressing issues that arose from testing and a brief overview of the remedial actions that need to be taken. 

Test information should include details about the scope of the test, the client’s objectives, and assumptions that were relied upon or constraints that applied, which the client should take into account when considering the overall assessment of business risk. Information about the testing methodology applied should also be included.  

Test Findings

The test findings section will include more information on each of the vulnerabilities identified, the risk level associated with each one and a summary of the specific remediation guidance for each of the listed vulnerabilities.  

It will include a risk rating methodology used to calculate the severity of discovered vulnerabilities. Assigning a severity score to vulnerabilities is essential for prioritising remediation. 

Usually, risk ratings are informed by industry-standard scores such as CVSS, but can also be influenced by other factors to provide a more accurate rating that is more applicable to the specific environment the vulnerable system exists in, resulting in a low, medium, high or critical rating, escalating in severity and criticality. 

Technical Report / Detailed Findings

This report section provides granular details on the vulnerabilities that the penetration testers discovered during the exercise. You should look for reports that present these findings in a clear and structured way so that they are easy to understand.  

Each finding should include a clear description of the source of the vulnerability, details of the affected hosts, a concurrent vulnerability rating, an analysis of the potential impact should a threat actor be able to exploit the weakness and recommendations for remediating the issue. Evidence, such as a screenshot image, should ideally be provided for each issue identified as well.  

The technical report should also include references from industry sources that provide further reading on the vulnerability and remediation steps. These are usually publicly available resources, which are accessible online from a hyperlink provided by the tester. 

Appendices

Ancillary information which may be helpful to the client, but which is not central to the report or its recommendations, should be provided in the appendices. Such information often includes details on the tools used during the test and more detailed information on the testing techniques and tactics followed.  

Wash Up Meeting

Once you have received the report, a good penetration testing partner will offer to have a ‘wash-up’ call with your team to talk through the test findings and answer any questions about risks or remediation advice.  

The report should be clear, easy to read and provide enough information to enable the client to take actionable steps, but questions commonly arise. The wash-up session enables you to query unexpected findings, understand the implications of the risks identified and discuss remediation options.   

Need Help?

If your organisation needs help running a penetration test on an application or infrastructure, we’re here to help. We can assess your environment and run a full penetration test. We can also advise you on any follow-up actions or remediations from our findings. Contact us for a friendly chat.  

 

 

AH Headshot 250x250

Written by Alex Harper

Alex is a senior security consultant, specialising in security testing of IT infrastructure, web applications and mobile applications. He started his career as a software developer before moving into ethical hacking and security consulting. His qualifications include Cyber Scheme Team Leader (CSTL), Offensive Security Certified Professional (OSCP) and Qualified Security Team Member (QTSM).