Stay up to date
Stay up to date with the latest threat reports, articles & mistakes to avoid.
Simple, yet important content.
No salesy pitches and all that, promise!
As a penetration testing company, we understand the pains of multiple different reporting formats (organised chaos?) and risk calculations. We have included the expectations of a penetration testing report and tips on how best to request a level of customisation to help your internal vulnerability assessment and management process. Service providers should ensure that customers receive the best quality penetration test report for their investment.
Why is penetration testing required?
Penetration testing is a critical security requirement for any organization. Penetration testing is an unauthorised attempt to break into IT systems and networks to find vulnerabilities before someone does it in reality. From small businesses to large corporations, all organisations should regularly conduct penetration tests because they are expensive, time-consuming, and difficult to defend against when done by real attackers. The best way to mitigate risk associated with cyber-attacks is through prevention, but if you can’t do that, detection can often provide adequate protection.
What should a penetration test include?
For this article’s purpose, we will define Penetration Testing as a method of gaining assurance against some or all of an organisations’ assets with similar tools, tactics and procedures (TTP) as used by adversaries. The final aim of a penetration test is to help improve an organisations’ internal vulnerability management process.
Organisations with high security maturity have a good idea of what pen testers are going to find. A third-party penetration test provides assurance to help with a good understanding of vulnerabilities in your assets.
What is a penetration test report?
A penetration test report is the output of a technical security risk assessment that acts as a reference for business and technical teams. It serves multiple benefits in addition to a team’s internal vulnerability management process. Based on the sensitivity and business relationships, a penetration testing report is used as evidence for product security assurance, an answer during M&A transactions, a proof of product/service security for big tenders or any related business stages where cyber security is questioned.
These testing reports are prepared using multiple methods. These range from traditional penetration test reports written by security consultants, template-based penetration testing report generators to online portals where penetration test reports can be viewed anytime.
What is the purpose of a penetration test report, and what does it provide?
A penetration test report provides a detailed and comprehensive analysis of the system’s vulnerabilities. It will also detail how to mitigate those issues, including recommendations for patching, hardening or locking down specific systems where needed. The goal is not only to identify problem areas that need addressing but also to provide solutions.
Your pen testing report is the security passport for your product and services to the world. It demonstrates the validation of your security controls and cyber security strategy at a wider level.
Penetration test regimes for the same asset may differ based on these parameters:
- what information is supplied to penetration testers (penetration test methodology)
- what test cases are included (tools, tactics and procedures)
- what assets are defined within the scope (pen test scope)
Whether some, all or no information is provided to penetration testers defines grey box, white box or black box pen test—penetration testing cases defined based on asset environment, primary and secondary security concerns. Assets within the scope are defined based on functional requirements or drivers behind the penetration test. It may vary from a single server to multiple network segments to an entire estate.
This answer is also applicable to physical security topics, i.e. physical penetration testing output.
Overall, a penetration test provides your products and services with the needed confidence to demonstrate strong controls, and no publicly known vulnerabilities are present in the product at the time.
What should a pen test report contain?
A penetration test report should involve the following areas:
- An outline of risk exposure for the tested assets
- Strategic and tactical recommendations on how to improve security posture
- Security issues identified during the assessment
- Risk levels in the context of likelihood and impact
- Recommendations to address the findings
- Customer support involving debriefs to ensure customer has a full understanding of their risks and risk remediation plan
Discuss your concerns today
What should a pen test report include?
The following sections provide details around different phases in a penetration test report.
An executive report (also called a management report) section includes the following areas:
- Executive Summary – The main section of the executive summary provides a high-level clear view of the risks and potential business impact. The main purpose here is to provide non-technical insight into the primary security concerns identified during the security assessment. This section must help executives translate security language into a business risk to ensure cyber security is an enabler. An executive summary reflects the state of your assessed assets at the moment.
- Key findings identified during the assessment in the context of the customer environment.
- Strategic and tactical recommendations to help stakeholders with risk remediation decision making in terms of resource investments.
This section often includes visuals in the form of charts, graphs and risk grids. All our executive summary reports are available in a single report or can be requested separately.
TIP: You should agree with your penetration testing services provider a report format in line with your internal risk reporting formats. Once requested, the customer should receive multiple formats; usually, a pdf report, a risk matrix (excel format) and internal risk findings document in line with your risk reporting format. It offers benefits such as consistency in risk ratings, direct input into internal risk register and reporting formats.
Walkthrough of technical risks
Technical findings section includes the following elements against every reported issue:
- Issue descriptions around vulnerability, misconfiguration or any other weakness along with likelihood of attack and impact (contextualized)
- Risk and Vulnerability metrics such as Control area, Critical/High/Medium/Low/Informational, CVSS scoring (if required), CWE IDs, likelihood, impact and remediation
- Risk certainty
- Technical details such as proof of concept in the form of raw data, screenshots and steps to reproduce the issue
- Detailed remediation measures in the context of the affected components
Automated tools often report previously calculated CVSS or similar scores rating certain vulnerabilities wrong. This form of reporting is prone to false positives in many situations because it fails to report on active exploitation of a vulnerability, does not consider the context of the affected service or product, and is unaware of its environment and metrics.
TIP: A penetration testing services provider must explain the risk scoring in the context of your assets to help you assess and remediate your technical risks.
Attack likelihood and potential impact
Pentest reports are sometimes challenged by peers in the security domain. This is both true and false.
False; sometimes, it is not possible to consider all the environment metrics of an asset.
True, since security assurance, management and other functional teams can’t interpret the right risk severities. This is because technical reports are missing out on the following items:
- Control categories where vulnerability has been identified
- Missing context of the affected asset in scope due to lack of details around risk, i.e. likelihood or probability of an attack and its impact.
We ensure that all findings are accompanied by control mappings and risk factors such as likelihood, impact and difficulty to fix an issue.
Sadly, many testing reports include technical findings in detail but miss out on the context of customer business. No explanations around probability and impact are available, leaving the customer distracted from their main task, i.e., assessing and preparing for remediation. Whether it is squeezed reporting time due to commercial pressures or the reporting process missing out on this is unknown.
Discuss your concerns today
Here is an example:
Insecure TLS configurations are often reported in line with the popular tool based speaks. Issue descriptions include the relevant details such as ciphers supported, protocol or configurational vulnerabilities, and associated technical risk ratings. However, it’s not fair on the customer’s side to find this issue a significant concern unless factors such as the likelihood of attack, impact, and service context (varies from SMTP, Web, SFTP or any other) are considered.
What is technically accurate may not be a representation of a true risk for a customer.
Considering the underlying context helps establish accuracy in line with customer assets in scope for a security assessment.
Risk remediation is the most important element of the report. Pentest buyers should look into a security partner who provides detailed guidance on risk remediation, not just reference links to vendor websites.
Remediation of vulnerabilities promptly is crucial to minimise the exposure risk to your assets. Fixing such issues varies in the investment of resources. Therefore, a remediation plan must be in place based on a prioritized approach. It may include simple tweaks, patching updates, configuration modification or third party solutions at times. Some risks may not be addressed, and businesses have to accept or transfer the risk.
One of the key aspects to keep in mind when writing a pen test report is that you want it to be as clear and concise as possible. This can be achieved by removing unnecessary information from your reports, such as extra logs or other items that may not help with understanding what has been found during the testing process. Most of this raw information, such as logs, lengthy information or supporting data, is provided in the Appendix section of the report. In bulk data, it is supplied separately in a test friendly format such as xls, xlsx, CSV.
Customer Support and Debrief
Cyphere’s engagement process includes ongoing email/phone support and debriefing with management and technical teams. This session involves a remediation plan and assessment walkthrough to ensure that customer contacts are updated in the language they understand.
Additionally, an optional remediation consultancy is available to help mitigate risks identified during penetration testing. Our approach involves a risk-focused approach towards risk remediation due to organisations’ security skill-set and environment complexities.
It would help if you did not hesitate to discuss your inputs into reporting with your penetration testing company. This includes specific issues and output formats you would like to see at the end of penetration testing.
If you are interested in knowing how pen test reports and bug bounty reports are prepared, here’s an interesting video to watch:
Sample penetration testing report
Any technically skilled person can perform a pen test. There is more to this process – this includes communication, customer business insight, deliverables and client support. This explains why we take our entire engagement process seriously.
If your cybersecurity services vendor engagements do not cover these items or you are unhappy with your documentation – Get in touch to discuss your concerns or ask for sample penetration testing reports.