The strongest proof of your work and expertize are the pentest reports you deliver. They capture your investigative skills, razor-sharp critical thinking, and creative hacking abilities. So your reports better be great.
Looking to impress your team or clients with outstanding pentest reports? You're in luck!
Delve into the collective wisdom of 10 seasoned offensive security professionals who've generously shared their insider tips on mastering the art of pentest reporting.
If you are a pentester, software dev, sys admin/engineer, or IT manager, you’ll get plenty of actionable tips you can apply to deliver exceptional pentest reports.
Keep reading!
What sets a good pentest report apart from a bad one
A great pentest report is pivotal in communicating the high-risk vulnerabilities you uncovered during the testing process. It’s the one document that highlights the weaknesses in the organization's security posture which gets passed around the company. Since many key people will read it, it needs to provide clear, actionable explanations and mitigation recommendations.
Here are 3 evergreen insights to use as reporting guidelines:
Segev Eliezer - “Clients typically skim through attack narratives in penetration test reports”, so “a good penetration test report is concise and easy to read for the client”
Darius Moldovan - “The most important thing is to explain a vulnerability, whether critical or low, as simply as you can” because “the purpose of a report is to help the customer solve their security problems”
Alexei Doudkine - “The real value in a pentest report comes from showing the true impact on the business.”
Penetration Tester at Security Scorecard | Global top 0.1% at TryHackMe & HacktheBox
Segev highlights the importance of writing a clear and self-explanatory pentest report focused on well-explained findings.
A good penetration test report is concise and easy to read for the client. It should allow technical readers to obtain the information they need to patch vulnerabilities, while at the same time allowing non-technical readers to understand the impact of the findings.
This is in contrast with a penetration testing report that contains an attack narrative, as this is typically lengthy and verbose (note that this is not necessarily true with red team reports). I have found that clients typically skim through attack narratives in penetration test reports, but when findings are analyzed in detail, they become much easier to understand and remediate.
[We might have] the tendency to believe that the people reading the report have the same experience as we do.
The most important thing is to explain a vulnerability, whether critical or low, as simply as you can, because the person needs to understand the impact on the organization.
After all, the purpose of a report is to help the customer solve their security problems with their applications, infrastructure etc., not to show how complex and misunderstood this area is.
Co-founder | Offensive Security Director at Volkis
Alexei brings two words to the table: "Context" and "Impact".
I always tell my team, "Context is king". A good report will take that specific client's circumstances into account, and make recommendations that make sense to them.
For example, telling a hospital to use MFA to access patient data won't work. Can you even have a phone for the MFA code inside an operating theatre?
Similarly with impact. The impact of a vulnerability should be tied to the specific client's business impact. If I read an impact like, "it allows code execution on a server," at best the consultant hasn't taken the time to understand the real impact to that client, and, at worst, has just copied/pasted from a scan template.
The real value in a pentest report comes from showing the true impact on the business. Impact like, "This could result in the MRI scanner not being operable." We apply the "so what?" test if an impact is unclear:
"I can access a server" - So what?
"It means I can pull down people's passwords" - So what?
"I can get the CEO's password, go into ASIC, and change the legal name of their company, causing confusion and reputational damage" - Nice!
Ultimately, the pentest report is the only tangible thing the client receives. So it needs to speak to what was actually done during the pentest. It should be information dense, without any fluff and filler language. Is a 200-page report really going to be read in detail, or can it be condensed to just the meaningful, actionable content and be more palatable at 50 pages?
Frequent mistakes when writing pentest reports
Crafting an effective penetration testing report is easier when you know which key mistakes to avoid.
Four out of our 10 contributors highlight some of the most frequent pitfalls they’ve seen others (or themselves) fall into.
Tim Connell - “Companies need more than just a description of what the vulnerability is.”
Gabrielle Botbol - “Unfortunately, it is all too common to see pentest reports fail to communicate the risks effectively, leaving the customer unsure of what to do next”
Aaron Boyd - “Blatant copying of information from third-party resources without attribution or credit to the original authors”
Ait Benam Abrahim - “Lack of details on detected vulnerabilities and Ineffective communication with stakeholders.”
Director of Cybersecurity Services Delivery | Senior Security Consultant at Pulsar Security
The most frequent mistake seen with pentest report writing is an insufficient amount of information that explains the risk of the vulnerabilities found, whether based on an individual finding or the overall risk to business operations. This impacts productivity and, as a result, revenue.
Companies need more than just a description of what the vulnerability is. They need to understand what the vulnerability is, its impact on the business if successfully exploited, and the likelihood of exploitation based on the threat.
Customers also need to understand how to remediate the vulnerabilities found, which requires a walkthrough of how the vulnerability was found. Most companies do not have the resources to manually hunt for each individual vulnerability outlined in the report. They need assistance and direction, which they hope the pentester will provide in the report.
Another mistake commonly seen in pentest reports is not properly explaining risk at both the technical and business level, which not only helps the technical team remediate the issues found, but gets the buy-in from the business to invest time and energy into performing the remediation.
Most technical teams struggle with getting buy-in from the business to invest in security, and it is the pentester’s job to help the business understand what the outcome could be if the risk is not resolved.
According to Gabrielle, delivering well-crafted reports to clients is just as important as uncovering and validating vulnerabilities in the first place.
Here are 8 things she recommends you pay attention to:
Unfortunately, it is all too common to see pentest reports that fail to communicate the risks effectively, leaving the customer unsure of what to do next.
Understanding the target is crucial
It is essential to have a complete understanding of the target to explain vulnerabilities in business terms. This way, we can explain complex technical issues in a way that the customer can easily understand.
Clear and detailed executive summary
The executive summary is the first thing the customer will read. Therefore, it should be concise and highlight the most critical vulnerabilities and their potential impact in the customer context.
Anyone should be able to understand it and, most of all, understand the impact it can have in business terms.
Technical part
While the executive summary is critical, it is equally important to provide detailed technical information on each vulnerability identified.
To write a comprehensive report, it is necessary to explain each vulnerability in detail, including how to exploit it and its impact on the system or application. Furthermore, it is essential to have taken detailed notes and screenshots during the attack phase to make it more understandable.
The technical team should be able to reproduce every exploitation step by reading this part, including the context.
Put each vulnerability in the context of the system or application being tested. This way, the impact of each of them has to be explained according to the context. Indeed, providing a comprehensive assessment of the risk a vulnerability poses and the impact it could have is essential.
The resources
It is important to provide links to good resources that explain the findings. These links are usually inserted at the end of a vulnerability report.
It is recommended to add more than one link; we do not all have the same learning profile or ways of understanding concepts and having different links and resources will allow the readers of the report to find multiple explanations of the same vulnerability.
Threat modeling
It is an excellent way to have a good understanding of the target and its possible risks. Integrating it into the report can help the customer understand the potential risks they face. Mentioning which of these scenarios were concretized and why can add a lot of value to a report.
Remediation
Providing actionable remediation steps to the customer to mitigate identified vulnerabilities is essential. However, these steps must also be adapted to the context of the system or application being tested.
If a solution is not applicable to a specific system for some reason (it might be a business-related reason), try to find a remediation that fits your customer needs.
How to get better at reporting
Reading public bug bounty and vulnerability reports can give an insight into how other pentesters write reports. It is a great way to learn from other people's experiences and improve our report-writing skills.
Build trust with your customer
Building a relationship with the customer is crucial as it sets the tone for the entire engagement. Therefore, it is essential to be transparent, communicate openly, and establish trust before, during, and after the testing process.
If you’re curious to explore even more pentesting tips and how to report your findings, check out Gabrielle’s helpful article.
Aaron pinpoints the lessons and mistakes he saw during the pentest report writing process.
The one thing I think that is often overlooked when learning, training, and teaching penetration testing is report writing. The functional output for every penetration test assessment is the customer report. That is what customers are paying for and what will carry weight in their organization to request and justify resources, whether that be funding, personnel, technology, etc.
Take great pride in the report and always ask yourself if you would be pleased or if there is anything you would have expanded on if you were in the customer’s seat.
Here are some lessons learned and mistakes I’ve seen during the report writing and report delivery process that I would like to summarize below.
The first recommendation is not sacrificing quality for speed. Yes, there need to be efficiencies around report writing to make sure you aren’t spending too much time on it for financial reasons, but take your time, plan accordingly, and make sure you have screenshots, notes, evidence, etc. when writing the report. The contents of a report should flow well together and not come across as being thrown together quickly.
The next recommendation is to make sure not to copy and/or paste content from another customer’s report into the report you are writing. Sure, this can save time by not having to re-write the same information repeatedly, but if you are referencing another customer’s report to do this you are doing it wrong. There is always going to be the chance of human error and one of the last things you want to do is copy another customer’s data (including their company name) and insert it into another customer’s report.
Other mistakes I’ve often viewed are summarized below:
Blatant copying of information from third-party resources without attribution or credit to the original authors.
Recommendations for each finding where some of them just don’t make sense and aren’t achievable. Not everything can be patched, for example, so rather than inform the customers to patch, consider also advising on compensating controls they can take to still protect those assets in the event they can’t do what you are recommending.
The executive summary has too much boilerplate verbiage. The executive summary is likely the most important section to the business leaders and the boss(es) of the person that hired you to do the penetration test. If what they are reading comes across as just copy/paste information, it’s unlikely they will continue through the rest of the report.
Writing penetration test findings/observations without including evidence and/or replication steps.
Not clearly defining methodology or process for applying severities to findings where severity seems arbitrary.
Experience has shown Ait that it’s essential to avoid errors which can compromise the quality and effectiveness of the report.
Are you making these 4 common mistakes he talks about?
Lack of detail on detected vulnerabilities
It is crucial to provide accurate and comprehensive details on each vulnerability detected in the pentest report. Descriptions should be clear and concise with information on the potential consequences of each vulnerability. Technical evidence, such as screenshots and code samples, should be provided to reinforce the validity of the results.
Non-compliance with standards and best practices
It is important to follow established standards and best practices for writing pentest reports. These standards include the OWASP Testing Guide, NIST Special Publication 800-115, and PCI DSS Requirement 11.3.3. Reports should include contextual information on the tested system, a clear methodology for conducting the pentest, a detailed description of the results, practical recommendations for correcting detected vulnerabilities, and an overall conclusion.
Ineffective communication with stakeholders
Clear communication with stakeholders is essential to ensure the effectiveness of the pentest report. Reports have to be tailored to the target audience and communicated clearly and concisely. Stakeholders should be informed of the potential consequences of each detected vulnerability, and practical recommendations for remedying these vulnerabilities should be provided. Deliver recommendations in a format easily understandable to stakeholders who may not have high technical expertise.
Errors in vulnerability classification
It is important to correctly classify vulnerabilities based on their severity and potential impact on the system. Vulnerabilities should be classified according to the Common Vulnerability Scoring System (CVSS) standard, which provides a standardized method for classifying vulnerabilities.
Vulnerabilities classified as high or critical severity must be identified and corrected with priority.
In conclusion, writing the pentest report is a complex task that requires close attention to detail and a thorough understanding of security standards and best practices.
By avoiding common errors, providing comprehensive details on detected vulnerabilities, effectively communicating with stakeholders, and correctly classifying vulnerabilities, the pentest report can help improve the overall security of a system.
Must-have elements for any good pentest report
Without a doubt, penetration testing reports are the crown jewels of security assessments. If you are an offensive security specialist, you’ve probably written tons of reports for your stakeholders or clients. But how do you know that…
you’ve covered the most essential elements?
it’s not too technical or too broad (e.g. lacking actionable info)?
it adds clear and actionable recommendations?
Stand out from the crowd with these 3 expert pentest report tips:
Alethe Denis - “It’s important to remove any information that could be used to identify specific people within the organization and anonymize all results, especially when it comes to those who may have been compromised. ”
Daniel Tomescu - “Another essential element is a clear impact description supported by a Proof of Concept (PoC)”
Travis DeForge - “It is crucial to strike a balance between simplicity and technicality” to ensure “that a report is useful to all stakeholders”
Senior Security Consultant | Red Team at Bishop Fox
The essential elements that a great pentest report should include vary depending on the type of testing. Some tests will have a more technical output, while others will be more of a narrative report and tell a story - rather than just listing findings.
At Bishop Fox, most of our reports are technical in nature with a small narrative about the testing performed included within the executive summary.
An executive summary is essential and should be accessible, short, and to the point - and require little to no technical knowledge to understand. It should include highlights and critical findings, and be inclusive of high-level recommendations making the next steps for the executive audience both clear and executable.
The rest of the report should have more detailed information about the testing and findings for each test completed by the assessment team. Along with more granular details about each finding and specific recommendations and resources. However, it should always be clear, concise, and well-written, including only the information necessary is important.
Long, wordy, and confusing dialogues should be removed in favor of clear, concise actions and results. This should also be a clear and factual account with no emotionally-driven sentiments or anecdotal information.
In the end, most clients have only the report as an artefact to demonstrate that they have had a pentest. I believe it’s important to remove any information that could be used to identify specific people within the organization and anonymize all results, especially when it comes to those who may have been compromised.
You never know how people’s careers will develop, and allowing people to keep their dignity and learn from the experience is only going to improve the opinion of you and your company within the client organization.
A good penetration testing report should include essential elements that enable the recipient to understand the vulnerabilities found and how to address them.
One of the critical elements is a detailed description of the findings, including the methodology used to uncover the vulnerabilities. This description should make it easy for anyone, including non-technical stakeholders, to understand the impact of the vulnerabilities on the organization's security posture.
Another essential element is a clear impact description supported by a Proof of Concept (PoC). The PoC is a demonstration of how an attacker could exploit the vulnerability, and it provides evidence that the vulnerability is real and not a false positive. The impact description should also include information on the potential consequences of a successful exploit, such as data theft, service disruption, or reputation damage.
A good pentest report should also include a recommendation section that details how to address the identified vulnerabilities. This section should prioritize the vulnerabilities based on their severity, provide actionable steps to fix them, and include any additional information or resources that could assist in addressing the vulnerabilities.
For ethical hackers, it is a matter of deontology to put effort into reporting their findings, although it might not be the most interesting activity. They understand that a clear and concise report can make the difference between an organization fixing vulnerabilities and improving its security posture or neglecting the issues, leaving them exposed to potential attacks.
Therefore, the report should be well-structured, easy to read, and provide clear and actionable recommendations that stakeholders can use to improve their organization's security posture.
Travis mentions how penetration tests can prove they’re worth the price by offering unique insights into realistic attack vectors. He also sheds light on what’s critical for customers: delivering a stellar report that shows how a simulated adversary sees their organization.
Ensuring that a report is useful to all stakeholders is of utmost importance. In order to achieve this, it is crucial to strike a balance between simplicity and technicality.
If the report is too simplistic, the client’s engineering team may not find it useful as it may not provide adequate remediation solutions for identified vulnerabilities. On the other hand, if the report is too technical, non-technical stakeholders may struggle to grasp the value being demonstrated. Therefore, the report should be detailed enough to provide effective remediation strategies while also being comprehensive enough to be accessible to all stakeholders.
In addition, it is important to present the report clearly and concisely, with appropriate explanations and examples to ensure that all stakeholders can easily understand the content.
Secondly, it is important to note that a detailed report can provide a deeper understanding of the attacker's actions. A report that clearly outlines what was tested and highlights both successful and unsuccessful attempts can instill confidence in the client, ensuring that the pentest was thorough and comprehensive.
To achieve this, the report should include details of all reconnaissance activities, attack surface enumeration and analysis, as well as exploitation attempts.
By doing so, the penetration testing report can clearly articulate the specific risks identified and provide a complete picture of the security posture.
Overall, a detailed report is crucial for the success of a pentest engagement, as it provides a comprehensive understanding of the security posture and recommendations for improvement.
How you craft your reports determines how others see your work
Crystal-clear, well-written pentest reports can make the difference between organizations fixing their issues and them ignoring your recommendations because they're not persuasive enough.
The report determines if your work translates into practice or remains another compliance item checked off the list.
You now have plenty of ideas to apply to your reports to make them truly useful for everyone who reads them. You can highlight both successful and unsuccessful attempts to boost confidence, you can provide replicable PoCs, and explain the business impact in clear, vivid terms. It’s the best way to ensure that you communicate how much work and professionalism you invested to make the entire pentest process thorough and comprehensive.
A big shoutout to all the 10 offensive security professionals who shared their valuable insights on pentest reporting! Their generosity drives the industry forward and is an example for all of us.
Looking to learn from more ethical hackers? We asked 17 of them about the future of penetration testing and their thought-provoking perspectives are definitely worth the read!
