Open Close

The Definitive Guide to Penetration Testing Reports


Penetration testing is not going to be worth anything if there are no reports to detail what has been done and what needs to be corrected.  It is the Penetration Testing report that tells IT managers and other company stakeholders just how good or bad your network, web applications and Internet security performs are. But how does one write an engaging and useful report? Here are our 5 top tips:

1. Be sure to keep your target readers in mind

You can write one penetration test report but target a lot of readers.  For example, you could expect that senior management will read (and understand) your executive summary, while the IT team will be reading the technical details.

2. Plan your report.

Even before you conduct an audit on Web application or network security or any other forms of security testing, you would need to create a preliminary pentest report that would double as your planning.

(Read More:  5 Best Practices to secure your Big Data Implementation)

State the following in your penetration testing report:

  • Testing objectives. There are many reasons why a company conducts a penetration testing.  When writing your test report, you should first say why the penetration testing was conducted in the first place.
  • Timeframe. Be sure to mention when you did the testing so that you can be sure that the company could appoint someone to be there while you test, if necessary.  This would also help safeguard you if the company changes anything on its IT infrastructure and these changes were implemented after your tests.
  • Controls. A penetration testing report must be kept confidential due to the fact that it contains a lot of sensitive information.  You would need to detail this explicitly.  You should also need to keep track of what department was given a copy of the report, when it was given, and what format it was in.

3. Collect and document.

Make sure that you have collected everything that you need, including the tools used and the systems that you’ve tested.  Proper documentation of scanned results, screenshots, notes, activity logs, and others would help you proceed to the next step and in writing a full penetration test report.

4. Write your report

You may need to write a draft first before you write your final penetration testing report.  The first draft would be more like a thought-dump for you.  The main concern when you write the draft is to make sure that you include all the information you’ve gathered in your testing. After this, you would need to have it peer-reviewed.  Have everyone on the testing team read the draft and have them edit it.  It is important that whoever was involved in the actual testing should be able to read and review your draft to make sure that the details you stated therein are accurate. After the accuracy is ensured, have your report finalized by letting somebody proofread it, and making sure that it follows the company standards. Free Research Report:  How secure are the Security Products?

5. Typical Penetration Testing report formats.

To help ensure that you do not leave out any important information in writing your report, you might want to follow the typical or recommended report format:

  • Cover page

Contains all the necessary details about the report: the title, the version, date, the service provider and other similar information.

  • Document properties

Contains the names of the testers, reviewers, and the one who approved the final report.  This section also contains  the  classification of the document, as well as the title, version, and author.

  • Version

This will track the modifications made to the report, including what has been changed, and when & who wrote the revisions.

  • Table of contents and list of illustrations

This will list out the figures and diagrams starting form network diagram, application architecture, proof of exploits, screenshots etc

  • Executive summary

This is the report summary. It is typically placed near the beginning of the report, but is actually written after the whole report has been finalized.  The executive summary should have the scope objectives, assumption, the timeframe of the testing, as well as a brief summary of findings and recommendations.

  • Methodology used

Detailed methodology used which should be a combination of OSSTMM, ISSAF, OWASP, PenTest Standard etc.

  • Detailed findings

You should be able to present your pentest findings as comprehensively and completely as possible in your penetration testing report, but be sure to keep everything simple.  Make sure you’re able to show the vulnerabilities, the impact, the likelihood that this particular vulnerability is going to be exploited, and then evaluate the risk, along with your recommendations.  Use graphs, tables, bar charts, and diagrams when necessary.

  • Cite others for their work

Be sure to give proper references when using others’ work for your penetration testing report, including the author’s name, the date of the original publication, the title of the publication, the publisher, place of publication, specific page numbers, and other similar details.

  • Appendices and glossary

These two contains additional information that might make your report easier to read. This is where readers could get more information. Keep all these things in mind when writing your penetration testing report and you can be assured of quality report writing that is of value to everyone who reads it. To make things easier, you might want to consult a template or view a Sample Penetration Testing Report. (Read More:  Top 5 Big Data Vulnerability Classes)


Advertisement: penetration testing report



1 comment

  1. Saket says:

    Pls send your security blogs and article to the mail id. Its definitely helpful.

Leave a comment

All fields marked (*) are required