You can create a report that includes all of the information from your testing. A typical pen test report includes the sections identified in the following table. These sections can then be pulled together in various combinations depending on the audience. Within the sections you can also have subheadings containing more detailed content that would be better suited for one audience or another. If this is stored in a repository of some sort, the pieces needed for each audience can be pulled into a report designed specifically for that audience.

Report Section

Description

Executive summary

This is typically one or two paragraphs that summarize the content of the entire report, created after the report has been written. It should state the tasks that were conducted during the testing. It should identify the methodology that was used to conduct the tests. It should end with the high-level findings and suggested remediation for those findings. It should end with a conclusion statement such as, In conclusion, the network, systems, and processes have been found to be <insecure/secure>.

Methodology

This section describes the activities performed to conduct the testing. It should include steps that can be independently repeated so that findings can be validated.

Findings and remediation

This section is often presented as a table that identifies the vulnerability, the threat level, the risk rating, and whether the vulnerability was able to be exploited. It should also include the steps needed for remediation of the vulnerability.

Metrics and measures

Metrics are quantifiable measurements of the status of products or processes. An example of a metric related to pen testing is the criticality of vulnerability findings. This metric can be expressed on a scale, like 1 to 10. Measures are the specific data points that contribute to a metric. Using the same criticality metric as an example, the measures might be something like the percentage of hosts susceptible to a particularly critical vulnerability, the total number of critical vulnerabilities found throughout the client's assets, etc. Metrics and measures are important to include in a report because they demonstrate to the client quantifiable data about the test's findings.

Risk rating

The risk rating levels can include more granular levels of likelihood and impact than what is shown in this graphic, but this is a basic idea of how risk rating works. You will need to assign quantitative values to the risks so that you can accurately assign a risk impact and a likelihood that the risk will occur. The risk rating is the intersection between the likelihood of an event occurring and the impact it will have if it does occur.

Conclusion

This section wraps up the report. It should include a general summary statement about failures (and successes), with supporting evidence that can be written in a sentence or two. It should also include a statement of the pen test goals and whether those goals were met. You can get more specific about potential attacks and what assets such an attack could leverage. Identify the areas most likely to be compromised and recommend that those be dealt with as soon as possible.

Supporting evidence

Any supporting evidence, or attestation of findings, should be attached to the report. This might include printouts of test results, screenshots of network activity, and other evidence you obtained during testing.

Risk Rating