The art of Report Writing by Penetration Testers
Penetration testing is the process of evaluating the security of a network, system, or applications. It is performed with the consent of the management, and therefore, the act is legal. Carrying out a penetration test requires specific formalities and the pentester should document the complete process justifying the outcome. The report is the only tangible output of the pentest and is also evidence that the testing has been performed. It is the report that is sellable and therefore, a penetration tester should take utmost care in drafting the best one. There are several tips and steps for an effective penetration testing report.
A penetration testing report is a summary of the pentesting process, the vulnerabilities identified, and recommendations to mitigate them. A penetration test that has a confirmed, regulated, and observed process can summarize an effective unbiased report.
Key points to consider before writing a penetration testing –
- Identify and define the goals of penetration testing.
- Define the area for penetration testing.
- Understand plausible impacts.
- Draft the testing process and related techniques.
Specific elements that a penetration tester should define and agree with the client –
Non-disclosure agreement | Scope of the engagement | Duration and schedule |
Methodology | Objective and Goals | Liabilities |
The most agreed penetration testing repot structure is as follows
1. Summarizing the project
The report talks about the project briefing on the purpose, objective, and goal of the testing process. It summarizes subject matter, methods of analysis, findings, conclusions, recommendations, and limitations of the report. Even though there is much to explain about the whole process, the penetration tester should keep it concise and precise.
2. Project details
In this section, the penetration tester describes the project approach, the process used, and defined scope. The scope of the penetration testing, for example, wifi network in Region 1, wireless network in Region 2.
3. Company information
The report also explains details of the organization, type of business, target clients, the scope of the business, and other legitimate information. It includes details of team members involved, their qualifications, job roles, responsibilities, etc.
4. Listing risks based on the severity
To make a report structured, list the findings based on their severity. High-risk vulnerabilities should be prioritized and listed above, followed by low-risk findings. The format can be as follows:
Findings | Description | Details | Severity | Recommendations |
Source: Peerlyst
5. Disclaimer
A disclaimer is a very important part of a report. Being a penetration tester, you are liable to list out the vulnerabilities, explain their consequences and recommend their mitigation, in the given scope, tools, and defined external factors. These consequences may turn out in case if any of the influential factors change. A disclaimer at the end of the report summarizes the liability and defines the limits of penetration testing.
Improve your report writing skills with ECSA
EC-Council Certified Security Analyst (ECSA) is a penetration testing program that provides seamless learning in continuation to C|EH. It is a highly interactive, and comprehensive pentesting program that presents a set of distinguishable methodologies to cover different penetrating requirements across different verticals. The program is mapped to the NICE 2.0 Framework and offers hands-on learning blended with manual and automated penetration testing approach. The most unique feature of ECSA is that it has a dedicated module on report writing. The program guides on writing comprehensive and valuable penetration testing reports. Being the only document that justifies the penetration testing process of the tester, it should be drafted depending upon the targeted audiences. ECSA focuses on building effective report writing skills that distinguish a penetration tester from a successful one.
Faqs