pirate.moo's gitbook
  • 🏴‍☠️pirate.moo's gitbook
  • WEB
    • OWASP TOP 10
    • Notes
    • Lab Write-Ups
      • SQLi in WHERE clause
  • PENTESTING
    • CHECKLIST
    • REPORTING
    • SCRIPTS
  • EXPLOITATION
    • reverse shells
    • dns/subdomain
    • ssl
    • Handy cmds
    • VULNERABILITIES
      • Log4Shell
      • Dirty Pipe
      • Pwnkit
  • CTF
    • CTF Tools
  • CERTIFICATIONS
    • PNPT
    • CPTS
      • 1. Process
      • 2. Getting Started
      • 3. NMAP
      • 4. Footprinting
        • FTP
        • SNMP
        • SMB
        • NFS
        • MySQL/MSSQL
        • Oracle TNS
    • CPTS Machines
      • Nibbles
    • OSCP
    • ISC2-cc
      • 1. Security Principles
      • 2. Incident Response
      • 3. Access Control
      • 4. Network Security
      • 5. Security Operations
  • MOBILE
    • History
    • Forensics
  • MOOSINT
Powered by GitBook
On this page
  1. PENTESTING

REPORTING

PreviousCHECKLISTNextSCRIPTS

Last updated 11 months ago

Executive Summary: Overview of the report that includes

An outline what you were hired to do, the company that hired you, the date range of the test, the intended purpose of the test, and the 'general scope' of the type of test performed

The introduction shows the testing period and goals, the general scope, vulnerability findings, observations, mitigation and good habits.

The most critical findings and weaknesses found in the test. Findings are categorized by severity levels:

  • How many critical, high, medium, low and informational vulnerabilities were found

  • Tallies up the totals based on the type of report (internal, external)

  • Quickly highlights the impact these vulnerabilities have

Refers to the overall strength a company has to defend against attacks. This portion of a report looks at the current results and assesses areas of strength and weaknesses.

Recommendations for mitigation and remediation of identified vulnerabilities while explaining potential impact of findings. Suggests ways to improve security.

Takeaways from the test that emphasize the urgency of addressing major issues, and closing out your statements with highlights of the above for mitigation and remediation suggestions.

A chart displaying the in-scope systems, networks, and applications, and the out-of-scope limitations to the test

Methodology: A more in-depth explanation of testing approach, tools and techniques used and a description of the phases that occur.

These charts typically are a part of the summary of findings section which includes definitions of what critical, high, medium, low and informational risks actually are.

Findings: A VAPT style chart that displays the summary of issues found on all the systems

The look and style of these varies depending how the report looks, so you can tailor it as needed. These can be done in various ways, including just writing everything out with screen shots of the process.

A detailed finding should:

  • Provides an in-depth description of the vulnerability

  • Explains what, how, where, you found it

  • Explains your methodology in how you exploited it

  • Gives the reader nice resources to check out

  • Explains how to fix the issue

  • What you were able to do because of your finding

    • Provides nice screenshots of the process

    • Helps show what commands you used

Risk Assessment: Detailed risk analysis for each identified vulnerability, the likelihood and potential impact on business and the overall risk rating for the organization

Conclusion

Summary of key findings and their implications.

Recognition of any successful security measures

Acknowledgment of areas with strong security posture

Appendices: Supporting documentation (scan results, logs and diagrams, or documentation that can be included with the report)

NOTE: Doesn't need to be in a table, since styling is dependent on the template made/used.

Basically a list of citation that you can provide for users to check on referenced in the report. Be sure to check citation standards in use.

Definitions of technical terms and acronyms used in the report

An example of what a report title might look like (different companies have their own templates)
An introduction about what you were hired for
An example of what one of these scope charts might look like
Charts help explain and summarize findings
An example of a detailed finding for a report
An example of a table that shows what output files are available
Citation provided
An example of a Glossary of Terms intended to help non-technical users gain understanding of the topic
Page cover image