Report Writing

If you are performing pen tests for a living, hobby, or fun you will need to write reports.  If you perform a pen test and do not write a report that is hacking.  😉   When writing your report I recommend writing in a consistent manner with regard to tense, tone, and understanding.

Find the format/detail requirements for the company you work for or the customer you are reporting to and meet those requirements.

Most pen test reports have three or more audiences that will read/use the report.

The first is the executives, this group is busy and does not need deep details.  They also do not have the same vocabulary or knowledge as the pen tester or other audiences.  No pictures or real details, just concise breakdown of what the vulnerability(s) are and what they could mean to the company (PR issues, Loss of revenue, Fines, Audit Findings, etc.).

The second audience is the manager/architect/lead developer, this audience has the knowledge and vocabulary so you can and should get more detailed here.  Provide proof of concept (POC) steps and how the vulnerability can/will hurt the system/company.  Show screenshots, images, commands used, output, etc.

The third audience is usually the software/network engineer that has to fix the issue(s) and they need all the details for remediation and POC steps to validate it is fixed.  Get all the way in the dirt here, explain in painful details how to remediate or mitigate the vulnerability.

The other possible audiences could be auditors, junior engineers, non-techinical groups, internal audit support personal, etc.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s