Client Acceptance & Follow-Up Actions

After finishing your pen test and writing the report, you should plan to have a discussion with the client about the findings in the report. During the formal hand-off process, you’ll need to get confirmation from the client that they agree that the testing is complete and that they accept your findings as presented in your report. Use the meeting to discuss with the client anything that needs to be clarified or changed in the report before they can be confident in its conclusions.

Gaining the client’s acceptance is of paramount importance, as they will not automatically be satisfied with your report just because you have written one. They need to be convinced that the test was worthwhile from a business standpoint and that it truly met the objectives set out during the planning phase. You could, for example, provide them with a cost–benefit analysis (CBA) of implementing your recommended mitigations. The client may also wish to assess how well the test adhered to the established scope. They may even benefit from a better understanding of your testing methodology. In certain circumstances, they may also voice their concerns with how the test was handled. Ultimately, you must work with the client to address their concerns and prove to them that the test was conducted in their best interests.

Follow-Up Actions

Even though the pen test engagement is formally over with, you might still have a few final tasks to complete as a follow-up. Some examples include:

• Scheduling additional tests with the client organization.
• Working with the security team that will implement your recommended mitigations.
• Checking back with the client to see how their mitigation efforts are going.
• Researching and testing new vulnerabilities that your team discovered during the test.
• Researching vulnerabilities that the team couldn’t recommend a mitigation tactic for.
• Informing the organization if a mitigation tactic is eventually found.

---

Attestation of Findings

Attestation is the process of providing evidence that the findings detailed in the pen test report are true. In other words, by signing off on the report given to the client, you are attesting that you believe the information and conclusions in the report are authentic. Attestation is perhaps the most significant component of gaining client acceptance, as the client must believe that what you have said about their people, processes, and technology is accurate. Many organizations will not simply trust your word that a particular vulnerability exists, even if you’ve built yourself a good reputation over the years. You must be prepared to prove what you claim.

Proof can come in many forms, and those forms usually depend on the nature of what is being proven. For example, if you want to prove that you were able to break into a server holding sensitive data, you could present exfiltrated data to the client as proof. If you want to provide evidence of a backdoor, you could give the client a live demonstration of accessing a host using a reverse shell. If you want to prove that you were able to glean sensitive data in transmission, you could show the client packet capture files that include the plaintext data. The threshold of evidence will differ from organization to organization, and some might be content with screenshots showing compromise rather than direct demonstrations. Once again, it’s important to communicate with your client to identify their needs.

---

Lessons Learned

An important part of any project is to identify any lessons learned during the project. When you debrief within the pen test team, you are likely to uncover things that did or did not work well. You can use this information to influence how you conduct future tests. The primary goal of drafting a lessons learned report (LLR) or after-action report (AAR) is to improve your pen test processes and tools. Failing to learn from these lessons can lead to repeating the same mistakes, inefficient use of your time, inaccurate or compromised findings and conclusions, and more—all of which will make it much harder for you to gain the client’s acceptance.

When you draft an LLR, you should ask and answer several fundamental questions about the pen test. Those questions can include:

• What about the test went well?
• What about the test didn’t go well, or didn’t go as well as planned?
• What can the team do to improve its people skills, processes, and technology for future client engagements?
• What new vulnerabilities, exploits, etc., did the team learn about?
• Do the answers to these questions necessitate a change in approach or testing methodology?
• How will you remediate any issues that you identified?

---

Guidelines for Conducting Post-Report-Delivery Activities

When conducting post-report-delivery activities:

• Verify that you have removed any remaining artifacts of the test.
• During formal hand-off of the report, be prepared to have a discussion about the contents of the report.
• Get confirmation from the client that they agree that the testing is complete and that they accept the report’s findings and conclusions.
• Find out what the client needs as far as proof of vulnerability or exploitation.
• Provide proof of your tests as needed.
• Draft a lessons learned report by asking yourself what did or did not go well during the test.
• Identify areas of improvement for the pen test team’s processes and tools.
• Identify any follow-up actions that need to be performed.
• Identify who will be performing these actions.