Executive Summary: Overview of the report that includes
An example of what a report title might look like (different companies have their own templates) An introduction about what you were hired for An outline what you were hired to do, the company that hired you, the date range of the test, the intended purpose of the test, and the 'general scope' of the type of test performed
The introduction shows the testing period and goals, the general scope, vulnerability findings, observations, mitigation and good habits.
The most critical findings and weaknesses found in the test. Findings are categorized by severity levels:
How many critical, high, medium, low and informational vulnerabilities were found
Tallies up the totals based on the type of report (internal, external)
Quickly highlights the impact these vulnerabilities have
Refers to the overall strength a company has to defend against attacks. This portion of a report looks at the current results and assesses areas of strength and weaknesses.
Recommendations for mitigation and remediation of identified vulnerabilities while explaining potential impact of findings. Suggests ways to improve security.
Takeaways from the test that emphasize the urgency of addressing major issues, and closing out your statements with highlights of the above for mitigation and remediation suggestions.
An example of what one of these scope charts might look like A chart displaying the in-scope systems, networks, and applications, and the out-of-scope limitations to the test
Methodology: A more in-depth explanation of testing approach, tools and techniques used and a description of the phases that occur.
Charts help explain and summarize findings These charts typically are a part of the summary of findings section which includes definitions of what critical, high, medium, low and informational risks actually are.
Findings: A VAPT style chart that displays the summary of issues found on all the systems
An example of a detailed finding for a report The look and style of these varies depending how the report looks, so you can tailor it as needed. These can be done in various ways, including just writing everything out with screen shots of the process.
A detailed finding should:
Provides an in-depth description of the vulnerability
Explains what, how, where, you found it
Explains your methodology in how you exploited it
Gives the reader nice resources to check out
Explains how to fix the issue
What you were able to do because of your finding
Provides nice screenshots of the process
Helps show what commands you used
Risk Assessment: Detailed risk analysis for each identified vulnerability, the likelihood and potential impact on business and the overall risk rating for the organization
Conclusion
Summary of key findings and their implications.
Recognition of any successful security measures
Acknowledgment of areas with strong security posture
Appendices: Supporting documentation (scan results, logs and diagrams, or documentation that can be included with the report)
An example of a table that shows what output files are available NOTE: Doesn't need to be in a table, since styling is dependent on the template made/used.
Basically a list of citation that you can provide for users to check on referenced in the report. Be sure to check citation standards in use.
An example of a Glossary of Terms intended to help non-technical users gain understanding of the topic Definitions of technical terms and acronyms used in the report
