What Does a Good Penetration Test Report Look Like?
By Alexander Hernandez, ERMProtect IT Security Consulting Manager
As a penetration testing service provider, we understand how painful it can be to go through different vendor reporting formats and risk calculations. Service providers should ensure that customers receive the best quality penetration test report for their investment. This article explains what your organization should expect in a penetration testing report so that you can get the most out of your pen-testing services vendor.
A penetration test report is the end product that acts as a reference for management and technical teams. The methodologies used on the penetration tests may differ based on these parameters:
- What information is supplied to penetration testers (black/gray/white box testing)
- What test cases are included (tools, tactics, and procedures)
- What assets are defined within the scope (network/application/wireless pen tests)
What Information Does Management Need in a Pen Test Report?
Management can get more out of a pen-testing report that includes a summary of observations with the following sections:
- Objective - Each client has a particular need. The end result of each engagement takes into consideration that need which defines the means and actions to be taken.
- Scope - Each engagement differs based on the testing performed which depends on the environment, needs, and security concerns. The scope can include internal/external/wireless network devices or web applications.
- Limitations - In general, work is focused on the threats posed by an unauthorized person with malicious intentions in gaining unauthorized access to organization systems or data.
- Executive Summary - Provides a high-level view of the risks and potential business impact. This section provides non-technical insight into the primary security concerns identified during the security assessment and helps management translate security language into a business risk.
- Identified Vulnerabilities - This section often includes visuals in the form of charts and graphs that include the findings, risk ranking, and affected devices.
What Information Does the Technical Staff Need in a Pen Test Report?
Technical teams benefit from a more detailed pen testing report that includes a deep dive into the findings within the following sections:
- Methodology - The approach varies depending on the objective and scope but always concentrates on obtaining access to the client’s high-risk assets and identifying other vulnerabilities that might lead to a compromise.
- Findings and Recommendations - This section includes a detailed view of each finding so that technical teams can understand and, if needed, replicate the test to corroborate if an implemented solution worked. Information such as the affected device, name of the finding, category of the finding, risk explanation, solution/recommendation, and industry reference are included.
- Appendices - This includes information that is too detailed to include in the main body but helps technical audiences understand the main findings (e.g., DNS information, port scanning, target identification, specific commands used, the output of commands used).
Conclusion
A good penetration testing report should include the security issues identified, risk rankings, and recommendations that provide you with the confidence to demonstrate:
- Strong security controls
- The lack of any publicly known vulnerabilities within devices in scope at the time
During our 24 years in business, ERMProtect has performed thousands of penetration tests for clients in 35+ industry verticals. To learn more about our penetration testing services, click here or email [email protected].
About the Author
Alexander Hernandez is an Information Security Consultant Manager at ERMProtect Cybersecurity Solutions where he performs penetration tests, vulnerability assessments, and incident response. He holds a master's degree in Systems Engineering from Johns Hopkins University. His certifications include CISSP, GPEN, GCIH, CEH, CCFC, and CRC.
Get a curated briefing of the week's biggest cyber news every Friday.
Intelligence and Insights