penetration testing report

5 Features Every Penetration Testing Report Should Contain

By Dr. Rey LeClerc Sveinsson, ERMProtect

Penetration tests (which are also called pen tests, ethical hacking, or white hat attacks) evaluate computer systems for vulnerabilities by simulating cyberattacks. Companies should perform them regularly to ensure their IT infrastructure remains strong and well-protected.

An important deliverable in penetration testing is the final report. Company personnel can use it to systematically identify and fix weak points in their system’s defenses. The penetration testing report provides all the details needed to be able to make meaningful changes to security systems.

When looking for a penetration testing company, it is crucial to find an organization that will give you the most robust and meaningful penetration testing report possible. Typically, a penetration testing report contains the following information:

  1. Executive Summary
  2. Scope and Objective
  3. Details of Penetration Test
  4. Findings and Recommendations
  5. References

Penetration Testing Report: Executive Summary

Penetration testing reports typically begin with a high-level summary of the findings. This section provides a concise overview of the test results, ideal for senior management who are looking for actionable takeaways without needing to dig into the entirety of the report.

The summary reveals at a high-level how and where gaps were found. Ideally, they should be explained in way that is easily digestible and accessible to any reader  - without deep technical language. The Executive Summary of a penetration testing report should provide clear-cut recommendations for security improvements, covering both short and long-term goals for enhancing security posture.

Penetration Testing Report: Scope and Objective

This section of the report should be pulled from the statement of work, restating the objective and scope of your effort.

The scope is an important parameter that will define whether the test truly meets company expectations. It sets out which elements of IT infrastructure will be targeted and tested. It includes metrics such as the number of systems to be tested, the number of web applications covered, the number of interviews required to complete an audit of your infrastructure, etc.

Penetration Testing Report: Details of the Penetration Test

This section provides the full narrative required to understand the context of how a simulated attack was carried out and how gaps in security were identified. It provides a detailed walkthrough of the pen tester’s engagement, describing each phase of the attack process and how the pen tester went about compromising the system. Here, we see the details of how the pen tester performed the assessment. For example, if the pen tester used social engineering tactics to compromise the system, the report should detail where the pen tester acquired the information they used, e.g., on the company website, through their LinkedIn page, etc.

In this segment, the assessor would also share exactly how they got into the system (say, through a series of phishing emails to build rapport and trust before sending a malicious link). This section should detail tools used. (It is easier to reproduce the findings when the organization understands the tools that were used on the original test.)

This section should explain the full nature of the outcome. This may show, for instance, that the pen tester was able to inject simulated malware onto an employee’s computer, packaged in a software update installation. Pen testers should discuss the path they took to acquire login credentials, access data, and take other steps to infiltrate the company.

Penetration Testing Report: Findings and Recommendations for Mitigating Risks

Risk remediation is the most important element of the report. After discussing the details of the attack, the pen tester should identify for each vulnerability the likelihood of a compromise and potential impact.

The remediation steps should be placed in order of importance and relevance so that companies can understand what to work on first. Every risk must be labeled as high, medium, or low in priority — ranked by impact and the risk threshold each falls into.

Penetration Testing Report: References

Finally, the report should include web link resources and references to help an organization quickly identify and understand remediation options.

ERMProtect Conducts Penetration Testing Reports

ERMProtect can help your organization with penetration testing. We have performed thousands of assessments across 35+ industry verticals since our founding in 1998. To learn more, contact us at 305-447-6750 or at [email protected].

About the Author

Dr. Rey Leclerc Sveinsson has over 25 years of experience designing, implementing, and managing enterprise-wide audit, compliance, information security and risk management policies, programs, and infrastructure in support of business strategy and direction. 

Get a curated briefing of the week's biggest cyber news every Friday.

Stop Phishing Attacks with ERMProtect's Security Awareness Training

Turn your employees into a human firewall with our innovative Security Awareness Training.

Our e-learning modules take the boring out of security training.

Intelligence and Insights

pci dss compliance

Why PCI Standards Are Just the Starting Point for Securing Payment Data

While PCI DSS compliance offers a solid baseline, it is not an all-encompassing solution to build a proactive and resilient data security framework …
pci dss in the cloud

How to Achieve PCI Compliance in the Cloud as Security Controls Evolve

The integration of cloud services with PCI DSS compliance is particularly crucial for enterprises that handle sensitive payment card information …
Digital Forensics Investigation

What Are the 5 Stages of a Digital Forensics Investigation?

In this article, we delve deeply into the five stages of a digital forensics investigation and provide tips on how to select the right digital forensics company …