A Penetration Test Report is the most important artifact you will provide your client.  If done correctly, it will summarize the key findings to the management and technical staffs.  This is the artifact where you as a pentester have the one chance to help the client understand the risks you have detected and energize their drive for make key risk decisions regarding their remediation.  There are a few important factors to consider when generating your pentest report:
 

1.  What was the scope and intent of the clients pentest? 

Does the report map to those outcomes?

2.  If risks were detected, how to they correlate to business imperatives?

           Does the mapping relate to industry or regulatory controls?

3.  Is there imperial data that supports modifying the risk level of a finding?

How will you highlight and document these modified findings and detail the factors considered in their new ratings?

4.  Does the finding correlate to any signs of past or active exploitation attempts on the host?

 

Here is a list of general guidelines to consider:
 

• A good Penetration Test Report should provide an organized, hierarchical flow to the information provided. 

• Each Top-Level section should be broken down into logical sub-sections that provide relevant details. 

  • Never bury nth degree details in a report. 

  • Providing highly technical details (e.g. relevant technical writing about the exploit used; code snippets, etc…) in an Addendum.  This will allow a logical distribution of the materials to only those who need that level of information.

  • Always include the following minimum Top-Level Sections:

    • Index (include page numbers for quick access to the data provided)

    • Executive Summary (Never more than 1 page front and back)

    • Scope (Include both In / Out of scoping boundary’s)

    • Methodology (Crystal, Black, White, Grey, Hybrid, etc…)

    • Findings

• Consider sub-dividing larger reports into Logical Zones (e.g. External; Internal, etc…)

• Graphics are an effective method to relate large data sets in a quickly consumable method

  • Only use for key data points

  • Ensure the image clearly depicts the information / trend

  • Place a reference to the detailed supporting data within the Figure or Table; provide that detail in the Addendum

• Ensure your legal team helps you craft a disclaimer for the back of the report cover that addresses:

  • The test is reflective of the configurations as of that moment in time

  • Considered a reasonable effort based on time, scope, and known vulnerability methods

  • Should not be considered a compendium of all possible risk avenues

  • The report is licensed to the client; must be provided in its entirety to any 3rd parties

    • Extracting sub-sections or portions of finds violates the licensing of the intellectual property license of this deliverable (e.g. prevents cherry-picking results that could be inaccurately or incompletely portrayed)

• Where appropriate, place regulatory distribution and discovery restriction notices on the report cover and foot (as appropriate).

  • Addresses public records act accidental / inappropriate disclosure questions

• Provide raw outputs and native data files were relevant

  • If using 3rd party tools, do not mask or scrape findings; use the native reporting outputs

    • Help client understand how you arrived at your findings using industry accepted tools and methods

  • If data files can be viewed using freely distributed views, provide is licensing allows or provide a link for the client to download them (as appropriate).  This adds value to your deliverables.

• Embrace grammar and Spell Check!  Some clients can get lost in the minutia of the report if the grammar is poor

• Always Provide an Out Briefing Presentation that summaries the key points

  • Never discuss being paid in the presentation or report

  • Deliver the content electronically and ensure the invoice is both electronic and hard copy in the package.