An important part of any project is to identify any lessons learned during the project. When you debrief within the pen test team, you are likely to uncover things that did or did not work well. You can use this information to influence how you conduct future tests. The primary goal of drafting a lessons learned report (LLR) or after-action report (AAR) is to improve your pen test processes and tools. Failing to learn from these lessons can lead to repeating the same mistakes, inefficient use of your time, inaccurate or compromised findings and conclusions, and moreā€”all of which will make it much harder for you to gain the client's acceptance.

When you draft an LLR, you should ask and answer several fundamental questions about the pen test. Those questions can include:

  • What about the test went well?
  • What about the test didn't go well, or didn't go as well as planned?
  • What can the team do to improve its people skills, processes, and technology for future client engagements?
  • What new vulnerabilities, exploits, etc., did the team learn about?
  • Do the answers to these questions necessitate a change in approach or testing methodology?
  • How will you remediate any issues that you identified?