5 Features Every Penetration Testing Report Should Contain
By Dr. Rey LeClerc Sveinsson, ERMProtect
Penetration tests (which are also called pen tests, ethical hacking, or white hat attacks) evaluate computer systems for vulnerabilities by simulating cyberattacks. Companies should perform them regularly to ensure their IT infrastructure remains strong and well-protected.
An important deliverable in penetration testing is the final report. Company personnel can use it to systematically identify and fix weak points in their system’s defenses. The penetration testing report provides all the details needed to be able to make meaningful changes to security systems.
When looking for a penetration testing company, it is crucial to find an organization that will give you the most robust and meaningful penetration testing report possible. Typically, a penetration testing report contains the following information:
- Executive Summary
- Scope and Objective
- Details of Penetration Test
- Findings and Recommendations
Penetration Testing Report: Executive Summary
Penetration testing reports typically begin with a high-level summary of the findings. This section provides a concise overview of the test results, ideal for senior management who are looking for actionable takeaways without needing to dig into the entirety of the report.
The summary reveals at a high-level how and where gaps were found. Ideally, they should be explained in way that is easily digestible and accessible to any reader - without deep technical language. The Executive Summary of a penetration testing report should provide clear-cut recommendations for security improvements, covering both short and long-term goals for enhancing security posture.
Penetration Testing Report: Scope and Objective
This section of the report should be pulled from the statement of work, restating the objective and scope of your effort.
The scope is an important parameter that will define whether the test truly meets company expectations. It sets out which elements of IT infrastructure will be targeted and tested. It includes metrics such as the number of systems to be tested, the number of web applications covered, the number of interviews required to complete an audit of your infrastructure, etc.
Penetration Testing Report: Details of the Penetration Test
This section provides the full narrative required to understand the context of how a simulated attack was carried out and how gaps in security were identified. It provides a detailed walkthrough of the pen tester’s engagement, describing each phase of the attack process and how the pen tester went about compromising the system. Here, we see the details of how the pen tester performed the assessment. For example, if the pen tester used social engineering tactics to compromise the system, the report should detail where the pen tester acquired the information they used, e.g., on the company website, through their LinkedIn page, etc.
In this segment, the assessor would also share exactly how they got into the system (say, through a series of phishing emails to build rapport and trust before sending a malicious link). This section should detail tools used. (It is easier to reproduce the findings when the organization understands the tools that were used on the original test.)
This section should explain the full nature of the outcome. This may show, for instance, that the pen tester was able to inject simulated malware onto an employee’s computer, packaged in a software update installation. Pen testers should discuss the path they took to acquire login credentials, access data, and take other steps to infiltrate the company.
Penetration Testing Report: Findings and Recommendations for Mitigating Risks
Risk remediation is the most important element of the report. After discussing the details of the attack, the pen tester should identify for each vulnerability the likelihood of a compromise and potential impact.
The remediation steps should be placed in order of importance and relevance so that companies can understand what to work on first. Every risk must be labeled as high, medium, or low in priority — ranked by impact and the risk threshold each falls into.
Penetration Testing Report: References
Finally, the report should include web link resources and references to help an organization quickly identify and understand remediation options.
ERMProtect Conducts Penetration Testing Reports
ERMProtect can help your organization with penetration testing. We have performed thousands of assessments across 35+ industry verticals since our founding in 1998. To learn more, contact us at 305-447-6750 or at [email protected].
Get a curated briefing of the week's biggest cyber news every Friday.
Turn your employees into a human firewall with our innovative Security Awareness Training.
Our e-learning modules take the boring out of security training.
Intelligence and Insights