penetration testing report

5 Features Every Penetration Testing Report Should Contain

By Dr. Rey LeClerc Sveinsson, ERMProtect

Penetration tests (which are also called pen tests, ethical hacking, or white hat attacks) evaluate computer systems for vulnerabilities by simulating cyberattacks. Companies should perform them regularly to ensure their IT infrastructure remains strong and well-protected.

An important deliverable in penetration testing is the final report. Company personnel can use it to systematically identify and fix weak points in their system’s defenses. The penetration testing report provides all the details needed to be able to make meaningful changes to security systems.

When looking for a penetration testing company, it is crucial to find an organization that will give you the most robust and meaningful penetration testing report possible. Typically, a penetration testing report contains the following information:

  1. Executive Summary
  2. Scope and Objective
  3. Details of Penetration Test
  4. Findings and Recommendations
  5. References

Penetration Testing Report: Executive Summary

Penetration testing reports typically begin with a high-level summary of the findings. This section provides a concise overview of the test results, ideal for senior management who are looking for actionable takeaways without needing to dig into the entirety of the report.

The summary reveals at a high-level how and where gaps were found. Ideally, they should be explained in way that is easily digestible and accessible to any reader  - without deep technical language. The Executive Summary of a penetration testing report should provide clear-cut recommendations for security improvements, covering both short and long-term goals for enhancing security posture.

Penetration Testing Report: Scope and Objective

This section of the report should be pulled from the statement of work, restating the objective and scope of your effort.

The scope is an important parameter that will define whether the test truly meets company expectations. It sets out which elements of IT infrastructure will be targeted and tested. It includes metrics such as the number of systems to be tested, the number of web applications covered, the number of interviews required to complete an audit of your infrastructure, etc.

Penetration Testing Report: Details of the Penetration Test

This section provides the full narrative required to understand the context of how a simulated attack was carried out and how gaps in security were identified. It provides a detailed walkthrough of the pen tester’s engagement, describing each phase of the attack process and how the pen tester went about compromising the system. Here, we see the details of how the pen tester performed the assessment. For example, if the pen tester used social engineering tactics to compromise the system, the report should detail where the pen tester acquired the information they used, e.g., on the company website, through their LinkedIn page, etc.

In this segment, the assessor would also share exactly how they got into the system (say, through a series of phishing emails to build rapport and trust before sending a malicious link). This section should detail tools used. (It is easier to reproduce the findings when the organization understands the tools that were used on the original test.)

This section should explain the full nature of the outcome. This may show, for instance, that the pen tester was able to inject simulated malware onto an employee’s computer, packaged in a software update installation. Pen testers should discuss the path they took to acquire login credentials, access data, and take other steps to infiltrate the company.

Penetration Testing Report: Findings and Recommendations for Mitigating Risks

Risk remediation is the most important element of the report. After discussing the details of the attack, the pen tester should identify for each vulnerability the likelihood of a compromise and potential impact.

The remediation steps should be placed in order of importance and relevance so that companies can understand what to work on first. Every risk must be labeled as high, medium, or low in priority — ranked by impact and the risk threshold each falls into.

Penetration Testing Report: References

Finally, the report should include web link resources and references to help an organization quickly identify and understand remediation options.

ERMProtect Conducts Penetration Testing Reports

ERMProtect can help your organization with penetration testing. We have performed thousands of assessments across 35+ industry verticals since our founding in 1998. To learn more, contact us at 305-447-6750 or at [email protected].

About the Author

Dr. Rey Leclerc Sveinsson has over 25 years of experience designing, implementing, and managing enterprise-wide audit, compliance, information security and risk management policies, programs, and infrastructure in support of business strategy and direction. 

Get a curated briefing of the week's biggest cyber news every Friday.

Stop Phishing Attacks with ERMProtect's Security Awareness Training

Turn your employees into a human firewall with our innovative Security Awareness Training.

Our e-learning modules take the boring out of security training.

Intelligence and Insights

Boost Business Value

From Compliance to Advantage: Using PCI 4.0 Certification to Boost Business Value

In this comprehensive guide, we explain in simple terms every aspect of complying with the NIST Cybersecurity Framework 2.0 …
financial institutions

5 Major Cybersecurity Risks Banks and Financial Organizations Face

In this article, we outline some of the most common cybersecurity attacks that banks and financial institutions can be vulnerable to …
How Merchants Can Become PCI-DSS Certified

Follow These 4 Steps to Achieve PCI DSS Certification

For all organizations that process payment cards, the Payment Card Industry Data Security Standard (PCI-DSS) certification is high up the data security and compliance priority list …