As a penetration testing provider, we understand the pains of multiple different reporting formats (organised chaos?) and risk calculations. We have included the expectations of a good penetration testing report and tips on how best to request a level of customisation to help your internal vulnerability assessment and management process. Service providers should ensure that customers receive the best quality penetration test report for their investment.
What is a penetration test report?
A penetration test report is the output of a technical security risk assessment that acts as a reference for business and technical teams. It serves multiple benefits in addition to a team’s internal vulnerability management process. Based on the sensitivity and business relationships, a penetration testing report is used as evidence for product security assurance, an answer during M&A transactions, a proof of product/service security for big tenders or any related business stages where cyber security is questioned.
These testing reports are prepared using multiple methods. These range from traditional penetration testing reports written by security consultants, template-based penetration testing report generators to online portals where penetration testing reports can be viewed anytime.
What is the importance of pentest report?
A penetration test report provides a detailed and comprehensive analysis of the system’s vulnerabilities. It will also detail how to mitigate those issues, including recommendations for patching, hardening or locking down specific systems where needed. The goal is not only to identify problem areas that need addressing but also to provide solutions.
Your pen testing report is the security passport for your product and services to the world. It demonstrates the validation of your security controls and cyber security strategy at a wider level.
Penetration test regimes for the same asset may differ based on these parameters:
- what information is supplied to penetration testers (penetration test methodology)
- what test cases are included (tools, tactics and procedures)
- what assets are defined within the scope (pen test scope)
Whether some, all or no information is provided to penetration testers defines grey box, white box or black box pen test—penetration testing cases defined based on asset environment, primary and secondary security concerns. Assets within the scope are defined based on functional requirements or drivers behind the penetration test. It may vary from a single server to multiple network segments to an entire estate.
This answer is also applicable to physical security topics, i.e. physical penetration testing output.
Overall, a penetration test provides your products and services with the needed confidence to demonstrate strong controls, and no publicly known vulnerabilities are present in the product at the time.
To view a concise version of this article, we invite you to watch our video on the same topic.
What should a pen test report contain?
A pentest report should involve the following areas:
- An outline of risk exposure for the tested assets
- Strategic and tactical recommendations on how to improve security posture
- Security issues identified during the assessment
- Risk levels in the context of likelihood and impact
- Recommendations to address the findings
- Customer support involving debriefs to ensure the customer has a full understanding of their risks and risk remediation plan
This is why a final report not only just mentions vulnerabilities discovered, but also provides a strategic input towards improving security posture, protecting sensitive data and wider inputs towards IT investments (in case of an internal penetration test).
Pentest reporting must-haves
The following sections provide details about different phases in a penetration testing report.
An executive summary or a separate executive report (also called a management report) section includes the following areas:
- Executive Summary – The main section of the executive summary provides a high-level clear view of the risks and potential business impact. The main purpose here is to provide non-technical insight into the primary security concerns identified during the security assessment. It includes business impact derived from the technical risks associated with target assets, the likelihood of an attack and what should be done to treat those risks. This section must help executives translate security language into a business risk to ensure cyber security is an enabler. An executive summary reflects the state of your assessed assets at the moment.
- Key findings identified during the assessment in the context of the customer environment.
- Strategic and tactical recommendations to help stakeholders with risk remediation decision-making in terms of resource investments.
This section often includes visuals in the form of charts, graphs and risk grids. All our executive summary reports are available in a single report or can be requested separately.
TIP: You should agree with your penetration testing services provider a report format in line with your internal risk reporting formats. Once requested, the customer should receive multiple formats; usually, a pdf report, a risk matrix (excel format) and an internal risk findings document in line with your risk reporting format. It offers benefits such as consistency in risk ratings, direct input into internal risk register and reporting formats.
Walkthrough of technical findings and severity per common vulnerability scoring system evaluation
This section is aimed at the audience comprising of security professionals, IT teams such as developers, administrators, databases, network admins, etc who can understand security flaws from the report.
The technical findings section includes the following elements against every reported issue:
- Issue descriptions around vulnerability, misconfiguration or any other weakness along with the likelihood of attack and impact (contextualized)
- Risk and Vulnerability metrics such as Control area, Critical/High/Medium/Low/Informational, CVSS scoring (common vulnerability scoring system), CWE IDs, likelihood, impact and remediation
- Risk certainty
- Technical details such as proof of concept in the form of raw data, screenshots and steps to reproduce the issue
- Detailed remediation measures in the context of the affected components
Automated tools often report previously calculated CVSS or similar scores rating certain vulnerabilities wrong. This form of reporting is prone to false positives in many situations because it fails to report on active exploitation of a vulnerability, does not consider the context of the affected service or product, and is unaware of its environment and metrics.
TIP: A penetration testing services provider must explain the risk scoring in the context of your assets to help you assess and remediate your technical risks.
Attack likelihood and potential impact
Pentest reports are sometimes challenged by peers in the security domain. This is both true and false.
False; sometimes, it is not possible to consider all the environment metrics of an asset.
True, since security assurance, management and other functional teams can’t interpret the right risk severities. This is because technical reports are missing out on the following items:
- Control categories where vulnerability has been identified
- Missing context of the affected asset in scope due to lack of details around risk, i.e. likelihood or probability of an attack and its impact.
We ensure that all findings are accompanied by control mappings and risk factors such as likelihood, impact and difficulty to fix an issue.
Sadly, many testing reports include technical findings in detail but miss out on the context of customer business. No explanations around probability and impact are available, leaving the customer distracted from their main task, i.e., assessing and preparing for remediation. Whether it is squeezed reporting time due to commercial pressures or the reporting process missing out on this is unknown.
Here is an example:
Insecure TLS configurations are often reported in line with the popular tool based speaks. Issue descriptions include the relevant details such as ciphers supported, protocol or configurational vulnerabilities, and associated technical risk ratings. However, it’s not fair on the customer’s side to find this issue a significant concern unless factors such as the likelihood of attack, impact, and service context (varies from SMTP, Web, SFTP or any other) are considered.
What is technically accurate may not be a representation of a true risk for a customer.
Considering the underlying context helps establish accuracy in line with customer assets in scope for a security assessment.
Risk remediation is the most important element of the report. Pentest buyers should look into a security partner who provides detailed guidance on risk remediation, not just reference links to vendor websites.
Remediation of vulnerabilities promptly is crucial to minimise the exposure risk to your assets. Fixing such issues varies in the investment of resources. Therefore, a remediation plan must be in place based on a prioritized approach. It may include simple tweaks, patching updates, configuration modification or third party solutions at times. Some risks may not be addressed, and businesses have to accept or transfer the risk.
One of the key aspects to keep in mind when writing a pen test report is that you want it to be as clear and concise as possible. This can be achieved by removing unnecessary information from your reports, such as extra logs or other items that may not help with understanding what has been found during the testing process. Most of this raw information, such as logs, lengthy information or supporting data, is provided in the Appendix section of the report. In bulk data, it is supplied separately in a test friendly format such as xls, xlsx, CSV.
Customer Support and Debrief
Cyphere’s engagement process includes ongoing email/phone support and debriefing with management and technical teams. This session involves a remediation plan and assessment walkthrough to ensure that customer contacts are updated in the language they understand.
Additionally, an optional remediation consultancy is available to help mitigate risks identified during penetration testing. Our approach involves a risk-focused approach towards risk remediation due to organisations’ security skill-set and environment complexities.
It would help if you did not hesitate to discuss your inputs into reporting with your penetration testing company. This includes specific issues and output formats you would like to see at the end of penetration testing.
If you are interested in knowing how pen test reports and bug bounty reports are prepared, here’s an interesting video to watch:
Sample penetration testing reports
Any technically skilled person can perform a pen test. There is more to this process – this includes communication, customer business insight, deliverables and client support. This explains why we take our entire engagement process seriously.
An extensive list of pentest sample reports available for download can be found here. Some of the reports included in this public repository include reports from the top names such as NCC Group, Bishop Fox and many others. This shows the importance of pentesting reporting and its critical value for a customer. Report templates should be updated regularly to ensure changes such as updated risk calculator scoring, vulnerability databases upgrades, etc elements are considered.
If your cybersecurity services vendor engagements do not cover these items or you are unhappy with your documentation – Get in touch to discuss your concerns or ask for sample penetration testing reports.
Penetration Testing Report FAQ
Why is penetration testing required?
Penetration testing is a critical security requirement for any organisation. Penetration testing is a simulation of attackers’ attempts to break into IT systems and networks to identify security vulnerabilities before someone does it in reality. From small businesses to large corporations, all organisations should regularly conduct penetration tests because they are expensive, time-consuming, and difficult to defend against when done by real attackers. The best way to mitigate cyber-attack risks is through prevention, but if you can’t do that, detection can often provide adequate protection.
This activity is scoped based on the assets, their architectural position and threat profile. For instance, internal pen testing is considered for assets situated in the trusted zone of an organisation, external penetration testing is performed on Internet-facing assets. Similarly, wireless pen test for wireless networks, web app security testing aimed at web applications, websites and APIs, and so on.
What should a penetration test include?
For this article’s purpose, we will define Penetration Testing as a method of gaining assurance against some or all of an organisations’ assets with similar tools, tactics and procedures (TTP) as used by adversaries. The final aim of a penetration test is to help improve an organisations’ internal vulnerability management process. See our blog section for further reading around pen test tools, types and pen testing methodologies.
Organisations with high security maturity have a good idea of what pen testers are going to find. A third-party penetration test provides assurance to help with a good understanding of vulnerabilities in your assets.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.