Report Penetration Test Findings
Learning Objectives
After completing this unit, you’ll be able to:
- Explain the importance of writing a penetration test report.
- List the pertinent sections of a penetration test report.
- Explain the importance of returning target systems to pre-test state (cleanup).
Phase 5: Write the Penetration Test Report
The next step of any penetration test is to document your results in a reporting format agreed upon with your customer. This report should include a description of your methodology, the vulnerabilities you discovered, the level of risk each one poses, and your recommendations for remediation. You present this report to the client, providing them with the insights they need to strengthen their cybersecurity defenses. You can view examples of pentesting reports here.
Preparing the report requires that you take detailed notes throughout the test’s execution. You should grab screenshots of anything that would be useful in the report during the test. Be sure to document findings as they occur versus waiting until the report writing phase to record the testing results.
Sections of a Penetration Test Report
Note: The below sections are for use as a guide for informational purposes only. It’s important you follow whatever format your organization or client uses.
A penetration test report typically consists of seven sections:
- Executive Summary: A concise overview of the test, highlighting key findings, risks, and potential business impacts. It's tailored for senior management and provides a high-level understanding of the test's outcomes
- Introduction: This section sets the context of the report, including the purpose of the penetration test, scope, and objectives. It may also outline the tested environment and relevant background information.
- Methodology:Describes the approach, tools, and techniques used in the penetration test. This includes the types of tests performed (e.g., black box, white box, gray box) and any testing frameworks or standards followed.
- Findings: Detailed information on each vulnerability discovered during the test, including its location, description, proof of concept, impact assessment, and potential exploitability.
- Recommendations: Specific advice on how to remediate the identified vulnerabilities, prioritized based on the risk assessment. This section provides actionable steps for improving security.
- Conclusions: Summarizes the overall state of security, the implications of the findings This section provides a high-level overview of the security posture and potential next steps.
- Appendices: Supplementary material that supports the report, such as detailed technical data, code snippets, additional graphs or charts, and full lists of vulnerabilities and exploits.
Each part of the report plays a crucial role in ensuring that the findings are comprehensible, actionable, and relevant to different stakeholders within the organization.
Generally, A penetration test report is designed to cater to different audiences within an organization, each with their unique interests and responsibilities. Understanding these audiences and the sections of the report they are most interested in can help tailor the report to be more effective and actionable for each group..
-
Executives:
-
Primary Interest: Executive Summary.
-
Why: Need a high-level overview to make strategic decisions quickly.
-
Sample Report Findings: "Critical vulnerabilities in user authentication and data encryption could lead to significant data breaches and non-compliance with data protection regulations."
-
Potential Action: Decision makers allocate a budget for urgent security upgrades, review compliance strategies, and direct a company-wide initiative for enhanced cybersecurity training.
-
Business managers:
-
Primary Interest: Specific sections relevant to their specific business operations (e.g., HR, Contracting) and overall business impact analysis.
-
Why: To understand the impact on their service continuity and customer data.
-
Sample Report Findings: "The e-commerce checkout process is susceptible to cross-site scripting (XSS), risking customer data exposure and financial transaction integrity."
-
Potential Action: Financial management leadership works with IT to prioritize fixing the XSS vulnerability, reassess web application security measures, and communicate with customers about steps taken to protect their data.
-
Technical team/engineers/operators:
-
Primary Interest: Detailed technical information about vulnerabilities.
-
Why: To understand the technical specifics for effective remediation.
-
Sample Report Findings: "SQL Injection vulnerability found in the login page; outdated SSL/TLS protocols in use; insufficient input validation leading to potential data breaches."
-
Potential Action: The System Owner works with security engineers to implement immediate patches for the SQL Injection vulnerability, upgrade security protocols, enhance input validation processes, and conduct a thorough review of the web application’s security architecture.
Each group uses the specific findings from the penetration test report to inform their respective actions, contributing to a comprehensive and coordinated response to enhance the security of the web application and the overall security posture of the organization.
Penetration testing reporting is a critical component of the cybersecurity process. It serves as the culmination of a penetration test, providing a detailed account of the findings and the potential impact to the organization. It’s not just a procedural step, but a vital tool for guiding strategic security decisions and fostering a culture of continuous security improvement.
Your Actions:
- Tools Used: A reporting tool (e.g., Automated PenTesting Reporting System) and office suite software for document creation and results tracking.
- Output: You compiled a detailed report including an executive summary, methodology, detailed findings, and recommendations. The report documented each vulnerability, how it was exploited, the potential impact, and provided prioritized remediation strategies. You, then, presented the report to the client for review and action.
Return Target Systems to Pre-Test State
You have completed reporting the results of the penetration test, and your task is nearing completion. However, before concluding, it's essential to perform a thorough cleanup of the client's systems and networks. Cleanup involves restoring the client’s systems and networks back to their original state, and removing all scripts, installed execution files, temporary files and backdoors.
During this process you return the system configuration to its original, pre engagement state. Efficiently managing this phase requires meticulous tracking of all payloads and changes made during every phase of the testing. Keeping detailed records of these actions simplifies the restoration process, ensuring that the client's environment is securely and accurately restored to its initial condition.
Knowledge Check
Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the description in the left column under the matching section of the penetration testing report on the right. When you finish matching all the items, click Submit to check your work. If you’d like to start over, click Reset.
Sum It Up
In this module, you've planned a penetration testing engagement,collected information about target systems, exploited vulnerabilities and provided a detailed and actionable report to the client.
Along with the information you reviewed in the Penetration Testing Module, you should now have a better understanding of what it takes to be a penetration tester. You can learn more about the in-demand cybersecurity skills necessary to get a job in penetration testing, or another field, and learn more from real security practitioners by visiting the Cybersecurity Learning Hub on Trailhead.
Resources
-
External Site: ScienceDirect: Penetration Testing Report
-
PDF: PCI Security Standards Council (PCI SSC): Penetration Testing Guidance
-
PDF: U.S. General Services Administration: GSA IT: Conducting Penetration Test Exercises
-
External Site: Hack The Box: Penetration testing reports: A powerful template and guide