What Is a Penetration Testing Report?
Penetration testing (pentesting) involves assessing the security of a system, network, or application. Although pentesters use the same techniques as malicious attackers, the process is legal, because it is performed with the consent of the tested organization.
A pentester must provide a detailed report on the testing process and the vulnerabilities discovered. A penetration testing report is the only tangible product of a pentest. The whole purpose of a penetration test is to identify vulnerabilities and security issues the organization can remediate—and these are communicated via the report. Thus, a penetration tester must ensure they create the best possible report.
A good penetration testing report provides an executive summary of finding, summarizes the vulnerabilities and their business impact, and provides recommendations to fix them. Successful penetration testers use a methodical approach, and document their methodology as part of the report.
In this article:
- Key Points to Consider Before Writing a Pen Test Report
- How to Create a Penetration Testing Report
- Best Practices for Writing a Penetration Testing Report
Key Points to Consider Before Writing a Pentest Report
A penetration test report provides a detailed overview of the weaknesses of the system being tested. It also outlines how to solve problems, including recommendations for patching, hardening, and restricting the functionality of systems when needed. The goal is to identify problem areas that need attention and to fix the issue.
Here are points to consider before you write a pentest report:
- Identify and specify the aims of penetration testing
- Know the plausible impacts of a breach
- Outline the testing process and other related techniques
What makes a great pentesting report?
Penetration testing reports are often overly technical and lack practical steps. Also, they don’t explain the business impacts resulting from the listed vulnerabilities’ presence.
A skilled penetration tester does not only find the weaknesses but also specifies the impact they have on the customer. The reports should offer the customer practical solutions to risks.
Related content: Read our guide to penetration testing services
How to Create a Penetration Testing Report
Here are the main sections you should include in a penetration testing report:
- Executive summary—pentesting reports start with a summary of your findings, intended for company executives. This should be written in non-technical language for people who are not security professionals but want to understand the significance of the vulnerabilities discovered and what the organization needs to do to solve them.
- Details of discovered vulnerabilities—provide an outline of the vulnerabilities you found, how you discovered them, and how an attacker can manipulate them. Keep it short, preferably in simple language that security professionals, developers, and non-technical roles can understand.
- Business impact—now that it is clear which vulnerabilities exist, you should analyze their impact on the organization. Use the Common Vulnerability Scoring System (CVSS) to score the vulnerabilities by severity. But go beyond CVSS scores to explain what critical systems each vulnerability affects. Provide a technical walkthrough of the impact to the specific organization if the vulnerability is exploited.
For example, when pentesting a financial application, explain for each vulnerability what it would allow attackers to do. What specific files could they view, and which operations would they be allowed to perform? Would they be able to perform financial transactions? This is critical for decision-makers to understand in order to manage remediation efforts.
- Exploitation difficulty—in this section, provide more details on the process you went through to discover and exploit each vulnerability. Provide a clear score for ease of exploitation such as Easy / Medium / Hard. The organization can use this, in combination with the severity of the vulnerabilities, to prioritize fixes.
- Remediation recommendations—this is the most important part of a pentesting report, explaining to the organization how to remediate the vulnerabilities you discovered. The main reason an organization invests in pentesting is to understand how to remediate its critical vulnerabilities. Provide specific instructions on how to remediate all affected systems.
To make your recommendations more effective, perform research to identify the most efficient fix in each case. For example, one system can be easily patched to fix a vulnerability, while another system may not support patching and may need to be isolated from the network.
- Strategic recommendations—beyond fixing the specific vulnerabilities, provide advice that can help the organization improve its security practices. For example, if the organization failed to detect your penetration test, recommend they adopt a better monitoring strategy. If you see that the organization grants excessive privileges to user accounts, recommend a better access control strategy.
Best Practices for Writing a Penetration Testing Report
The following best practices will help you create a winning pentesting report:
- Note the good with the bad—don’t only focus your reports on security shortcomings at the organization. If you found areas that were well secured, or you attempted an attack and were blocked by security tools, note this, so the organization knows which parts of its defenses are working well. Effective security controls that withstand your attacks do not reduce the value of your penetration test. The client will be happy to discover that their security investments have a good return.
- Write the report as you go—it is far better to write the report while conducting the penetration test rather than wait until the end and then start writing. Write your rough report as you are testing, taking screenshots, and recording events as they happen. At the end of your test, you will have a good record of your experiences, and you can organize them into your final report. This will also avoid “writer’s block” at the end of your pentesting engagement.
- Document your methods—every penetration tester has different methods and approaches. Share your methods with readers of the report. How did you perform reconnaissance? Why did you try a specific attack and not others? Did you use a specific framework such as NIST or SANS? This information should be woven into your report and can help strengthen the credibility and value of your findings.
- Clearly define the scope—it is critical to define the scope of your penetration test, both to keep your client happy and to avoid ethical and legal issues. Remember that if you do something outside the agreed scope of the penetration test, even if you have the best intentions, you could face legal liability. Draft a clear Statement of Work (SOW) that explains what you are and are not expected to test. Repeat the agreed scope in your report, so it is clear to everyone what you were hired to do.
Complementing Penetration Testing with Dynamic Application Security Testing (DAST)
Penetration testing and PTaaS are valuable to ensure your applications and network are secure, however a large proportion of each is conducted manually by specialist penetration testers. While PTaaS has streamlined the process of procuring and managing more frequent pentests, the process still takes time, is not scalable and the costs can spiral.
With more companies now apopting DevOps and CICD, further automation of security testing is required that removes security related bottlenecks and provides a direct and immediate feedback loop to developers.
Bright Security’s developer focussed Dynamic Application Security Testing scanner is used by penetration testing companies to carry out preliminary scans on their client applications and APIs. You can integrate Bright into your development pipelines to benefit from continual, scalable security testing early and often, on every build / commit.
Bright automatically validates every security issue, so has NO false positives. This removes the need for you to manually validate security issues (one of the services performed by PT / PTaaS). Coupled with the ability to detect Business Logic Vulnerabilities with Bright, this reduces your reliance on and cost of your manual penetration testing or PTaaS.