After finishing your pen test and writing the report, you should plan to have a discussion with the client about the findings in the report. During the formal hand-off process, you'll need to get confirmation from the client that they agree that the testing is complete and that they accept your findings as presented in your report. Use the meeting to discuss with the client anything that needs to be clarified or changed in the report before they can be confident in its conclusions.
Gaining the client's acceptance is of paramount importance, as they will not automatically be satisfied with your report just because you have written one. They need to be convinced that the test was worthwhile from a business standpoint and that it truly met the objectives set out during the planning phase. You could, for example, provide them with a cost–benefit analysis (CBA) of implementing your recommended mitigations. The client may also wish to assess how well the test adhered to the established scope. They may even benefit from a better understanding of your testing methodology. In certain circumstances, they may also voice their concerns with how the test was handled. Ultimately, you must work with the client to address their concerns and prove to them that the test was conducted in their best interests.
Even though the pen test engagement is formally over with, you might still have a few final tasks to complete as a follow-up. Some examples include:
- Scheduling additional tests with the client organization.
- Working with the security team that will implement your recommended mitigations.
- Checking back with the client to see how their mitigation efforts are going.
- Researching and testing new vulnerabilities that your team discovered during the test.
- Researching vulnerabilities that the team couldn't recommend a mitigation tactic for.
- Informing the organization if a mitigation tactic is eventually found.