Writing the Penetration Testing Report: Like every other topic we have discussed, writing a good penetration testing report takes practice.
Many penetration testers mistakenly think that they can simply provide the raw output from the tools that they run.
This group of people will often collect and nearly organize the various outputs into a single report.
They will gather any pertinent information from the reconnaissance phase and include it along with the output from Nmap and Nessus.
Many of the tools we discussed in this article include reporting engine. For example, Nessus has several prebuilt reports that can be generated based off the scan.
Unfortunately, using the prebuilt reports is not enough. Each report must be well laid out and flow as a single document.
Combining one style of report from Nessus with a different style of report from Nmap or Metasploit will make the penetration test report appear disjointed and unorganized.
With that being said, it is important to provide the detailed output from each of your tools. Not many of your clients will have the ability to understand the technical output from Nmap or Nessus; however, remember that the data do belong to the client and it is important that they have access to the raw data.
We have discussed several examples of what not to do in a penetration testing report; let us examine this issue from a different angle and discuss what should be done.
First and foremost, the penetration testing report needs to be broken into several individual pieces. Taken together, these pieces will form your overall report, but each piece should work as a stand-alone report as well.
At a minimum, as well-rounded and presented penetration testing report should include the following:
- An executive summary.
- A walk-through of how the penetration test was performed to provide an understanding of how you successfully compromised or hacked the system(s).
- A detailed report.
- Raw output (when requested) and supporting information.